A security program’s success is contingent upon an organization’s shared values toward security. One way to determine if an organization is security-focused is to assess whether guidance and adherence to information security guidelines are employed using a top-down approach. This is to say, individuals at the executive level to the operational levels have a clear understanding of security requirements and comply with stated requirements. Establishing common security controls reinforces a shared organizational responsibility of securing information systems, improves incident response times due to clearly defined roles and responsibilities, and empowers businesses to securely scale technology by baselining security requirements regardless of department or function.
The purpose of system security plans is to get an overview of the security requirements and minimum security controls of the system that are currently in place or plan to be. Roles and responsibilities are also established. FIPS199 can be used to determine the impact level and based on those levels, baseline security controls can be applied from NIST SP 800-53. This is generally a living document so constant review is performed, and as individuals leave the organization system owners may need to be replaced.
Organizations need to update the system security plan in a timely manner, and the system security plan is a living document that requires periodic review, revision, and action plans and implementation of security controls. Developing an action plan requires tracking remedial actions. Risk vulnerabilities can be effectively avoided by updating when there are significant changes in information systems or interconnections. When danger occurs, risk aversion is often carried out through good measures. On the other hand, restricting permissions is another way of protecting system security. For the protection of information systems, establishing rules for the proper use and protection of subject data, providing information system owners with security controls for the information systems where the input information about security requirements resides, it can reduce the frequency of information leakage incidents. Decision makers need to decide who can access information systems and what type of privileges or access rights to use, and assist in identifying and assessing where common security control information resides. Dual measures protect system security and reinforce common organizational responsibility for protecting information systems.
I agree that the security plan needs to be kept up to date. You point out that there is a whole process from when the organization finds a vulnerability to avoid the risk, which is an excellent example of the importance of a system security plan.
Dan,
I agree organizations need to update their System Security Plan in a timely manner, most specially in a year. Any policy, including this one needs to be updated for the most recent material and ensure the process is reflecting off of the policy. If you are following a policy that is outdated, it forms a risk for the company.
Hello Dan,
I totally agree with you in regard to your analysis. However, NIST is responsible for developing standards and guidelines, including minimum requirements, for
providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b (3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections.
When completed in the order of priority in the plan, these strategic tasks can significantly improve the efficiency and effectiveness of security decisions. It aligns the program with IT and business strategy and allows the organization to evaluate and validate compliance with changing laws, regulations, contracts, or other applicable standards. These tasks align the information security program with the organization’s IT and business strategies. It also provides overall guidance for the information security program. It prioritizes initiatives and corresponding tasks for multi-year execution of the plan while facilitating compliance with appropriate security-related regulatory requirements and current practices. A clear and concise security program allows executives, management, and employees to understand their desired goals, focus their efforts in the right direction, and know when they have achieved them.
Hey Zijian, I like how you pointed out the importance of system security plans aligning with both information security and the organization’s business strategies. It is important to balance the needs of the business with a secure strategy that allows for needed flexibility. I also agree that clarity in this program is necessary to allow all employees to be knowledgeable in this area and contribute best to the organization’s end goal.
The strategic mandate you say aligns plans with IT and business strategy, while allowing and validating responses to changing laws and contracts. I also believe that regular reviews, revisions, action plans, and implementation of security controls are a good strategy to effectively avoid risk gaps. Risk aversion is also another way to protect information systems when danger occurs. If two measures are arranged to protect the system security, the ability of the system to deal with risks can be improved.
Implementing the process described to create a system security plan will provide an efficient way to characterize the most useful information describing systems. Having the information regarding systems owners with corresponding systems, information system type, operational statuses, legacy environments, and change logs, etc. will prove most useful as it allows for quick and effective identification of responsibilities of system owners, changes made to information systems, types of information and types of systems in place, etc. The more clearly outlined all of these items are, the more effective the security plan will be for the organization. While the entire document is important, it is interesting to see the system environment as it is described by NIST SP 800-18r1; identifying legacy systems and the associated information regarding their environments was one of the particularly interesting sections.
I agree with you that the clearer all these items are, the more effective the security plan will be for the organization. Because of the clarity in the initial planning regulations, entering information data into the appropriate systems can increase efficiency. Providing information system owners with security controls for the information systems where security requirements are entered can reduce the frequency of information breaches.
I have to agree with your statement. In a previous role, I was working with a vendor to build out a data center for a client. A system security plan was in place and well documented allowing us to understand who took on the role of system owner on days the individual was out or during employee rotations who help what roles and responsibilities. It’s a great living document that allows everyone to stay up to date about the system and the individuals responsible for maintaining them.
Antonio,
I agree with you. Having a System Security Plan in place is extremely important to the business. It includes clearly outlining the responsibilities of employees who work at the organization. More importantly, it can improve the efficiency of the organization’s decision.
There are 3 types of security controls Management, Operational, and Technical. Management controls are focused on managing the information system and the risk of the system. Operational control focuses on the security methods. This control is being used to improve the security of the system. Technical controls is focuses on the security controls that are being used within the system. Technical control can also be used as an automated to protect the system from any unauthorized access or misuse of the system.
Hi Vraj,
Of the three types of controls you mention, is there one that holds precedence over the others, or do they all play an equal role in together safeguarding information systems? They all have their advantages when they are properly / well-implemented, as well as their disadvantages when they are poorly implemented. An easy example is an attacker exploiting a poorly managed or implemented technical control to gain unauthorized access to a system.
Hello Vraj,
I like your post so much. I also agree with you about three security controls management due to the fact that they are primarily focused on managing risks within an organizational information system.
A compensating control is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. Management, operational, or technical controls are employed by an agency in lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or comparable protection for an information system. Management security controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization’s security goals. Operational controls are security controls that are primarily implemented and executed by people (as opposed to systems) Technical controls, also known as logic controls, use technology to reduce vulnerabilities in hardware and software. Automated software tools are installed and configured to protect these assets.
Hello Kyuande,
That’s a great post. Those three security controls management, operational, and technical are important to secure the information systems. As securing the information system would be much easier since it will be shared between those three controls as you have mention in your post.
Kyuande,
Great explanation on your post! Another example of a technical controls can be firewalls, encryption, and multi-factor identification. Technical controls plays a big role in a company because it keeps the unauthorized users out from gaining access to a system or personal data.
HI Kyuande,
Thanks for your post! This is a great point. It is critical to understand the overall categorizations of security controls, as well as the impact/level of protection needed for assets requiring protection. FIPS 199 is a great resource in determining this.
This system security plan development document shows how important it is for a business to have proper organization, documentation, and controls when implementing their plan. By documenting personnel, operational status, system interconnections, etc., a system becomes easier to maintain and update. One of the most important documentations is the security objective potential impact because this directly affects the security controls in place. It is important to be honest and accurate in this classification to ensure necessary controls that protect an organization’s key functions and data.
Clear, accessible documentation is critical for businesses to effectively scale. I like that your point speaking to the importance of documenting personnel. In my experience I have found maintaing updated contract matrices for the relevant information security personnel one of the most challenging tasks. However, being able to quickly identify who is the owner of an application, department or system is vital for incident response. Thanks for sharing your thoughts!
The System Security Plan is overall an extremely important piece to have within a company. A System Security Plan is a roadmap for the organization’s cybersecurity program. Without the SSP, things can get out of our control and cost the organization more money. As stated in the reading, (3.13), are how the security controls for the applicable baseline are low-impact, moderate impact, and high impact. “For the low impact, an agency must employ the security controls from the low baseline of security controls defined in NISt SP 800-53 and must ensure that the minimum assurance requirements associated with the low baseline are satisfied. For moderate-impact, an agency must employe the security controls from the moderate baseline of security controls defined in NIST SP 800-53 and must ensure minimum assurance requirements associated with the moderate baseline are satisfied. For high impact, an agency must employ the security controls from the high baseline of security controls defined in NIST SP 800-53 and must ensure the minimum assurance requirements associated with the high baseline are satisfied.”
Security controls are also designed by management, operational, and technical. “Management controls are focused on the information system and the management risk for a system. Operational controls address security methods focusing on mechanisms primarily implemented and executed by people. Technical controls focus on security controls that the computer system executes.”
The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. Developing of a security plan primarily starts with the categorization of the system on assessment of its impact level through the use of FIPS 199 standard. The categorization of the system will be seen as a solid foundation to as the plan is being created and it is then used in determing system boundaries. FIPS 200 is used to provide the minimum-security requirements for federal information systems across various domains like access control. As part of guidelines of NIST SP-800, the system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Establishing developing a security plan, there is no need to reestablish the wheel. NIST provides standards and best practices on the format and what information needs to be associated to develop a comprehensive and effective security plan.
This document walks through how to develop a plan that follows the NIST framework. First you should identify and categorize the system. Next, you identify the system owner. This is one of the most important steps. If you can’t identify what’s on your network, you can’t protect it. So having an accurate data and system map is integral to designing your cybersecurity framework. Once you do this, you can gather more info about system type, operational status, and general purpose. Ultimately this should be an ongoing and continuous process as your environment and the threat landscape will continue to evolve.
Once you have a system inventory, you can also rate the impact of a breach on confidentiality, integrity, and availability so you can assess the overall severity in the event of a cybersecurity incident.
One key point that I took from NIST SP 800-18r1 “Guide for Developing Security Plans for Federal Information Systems” is that one of the most crucial parts of having a comprehensive SSP is keeping it updated. A good SSP is updated at least once a year, and many times should be updated even more frequently due to changes in the threat environment, changes in the industry that the business/organization is in, changes in the organization itself (e.g. new system owner, authorizing official, etc.), and more. A proficient SSP will always have the date it completed, the date it was authorized by the authorizing official, the date of every update completed, and the updated version number. An organization that does not update its SSP regularly will be at increased risk of a loss due to attack, and thus, increased risk of revenue/profit loss and key employees being fired or let go. This is why it is a main responsibility of the system owner, authorizing official, and other designated contacts to work together to maintain the security of their organization and security of their jobs.
NIST Special Publication 800-18 Revision 1 is a set of recommendations of The National Institute of Standards and Technology for developing security plans. System security planning aims to improve the protection of information systems. The purpose of the system security plan is to provide an overview of the system’s security requirements and describe the controls in place or planned for meeting those requirements. This guide provides basic information on how to prepare a system security plan and is designed to be adaptable in various organizational structures and used as a reference by those assigned responsibility for security planning activity.
NIST SP 800-18 Revision 1 is the guide for Developing Security Plans for Federal Information Systems is a set of recommendations of The National Institute of Standards and Technology for developing security plans.
This document provides a guideline for federal agencies to develop security plans that document the management, technical, and operational controls for national automated information systems.
NIST describes that the purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable.
A security program’s success is contingent upon an organization’s shared values toward security. One way to determine if an organization is security-focused is to assess whether guidance and adherence to information security guidelines are employed using a top-down approach. This is to say, individuals at the executive level to the operational levels have a clear understanding of security requirements and comply with stated requirements. Establishing common security controls reinforces a shared organizational responsibility of securing information systems, improves incident response times due to clearly defined roles and responsibilities, and empowers businesses to securely scale technology by baselining security requirements regardless of department or function.
The purpose of system security plans is to get an overview of the security requirements and minimum security controls of the system that are currently in place or plan to be. Roles and responsibilities are also established. FIPS199 can be used to determine the impact level and based on those levels, baseline security controls can be applied from NIST SP 800-53. This is generally a living document so constant review is performed, and as individuals leave the organization system owners may need to be replaced.
Organizations need to update the system security plan in a timely manner, and the system security plan is a living document that requires periodic review, revision, and action plans and implementation of security controls. Developing an action plan requires tracking remedial actions. Risk vulnerabilities can be effectively avoided by updating when there are significant changes in information systems or interconnections. When danger occurs, risk aversion is often carried out through good measures. On the other hand, restricting permissions is another way of protecting system security. For the protection of information systems, establishing rules for the proper use and protection of subject data, providing information system owners with security controls for the information systems where the input information about security requirements resides, it can reduce the frequency of information leakage incidents. Decision makers need to decide who can access information systems and what type of privileges or access rights to use, and assist in identifying and assessing where common security control information resides. Dual measures protect system security and reinforce common organizational responsibility for protecting information systems.
I agree that the security plan needs to be kept up to date. You point out that there is a whole process from when the organization finds a vulnerability to avoid the risk, which is an excellent example of the importance of a system security plan.
Dan,
I agree organizations need to update their System Security Plan in a timely manner, most specially in a year. Any policy, including this one needs to be updated for the most recent material and ensure the process is reflecting off of the policy. If you are following a policy that is outdated, it forms a risk for the company.
Hello Dan,
I totally agree with you in regard to your analysis. However, NIST is responsible for developing standards and guidelines, including minimum requirements, for
providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b (3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections.
When completed in the order of priority in the plan, these strategic tasks can significantly improve the efficiency and effectiveness of security decisions. It aligns the program with IT and business strategy and allows the organization to evaluate and validate compliance with changing laws, regulations, contracts, or other applicable standards. These tasks align the information security program with the organization’s IT and business strategies. It also provides overall guidance for the information security program. It prioritizes initiatives and corresponding tasks for multi-year execution of the plan while facilitating compliance with appropriate security-related regulatory requirements and current practices. A clear and concise security program allows executives, management, and employees to understand their desired goals, focus their efforts in the right direction, and know when they have achieved them.
Hey Zijian, I like how you pointed out the importance of system security plans aligning with both information security and the organization’s business strategies. It is important to balance the needs of the business with a secure strategy that allows for needed flexibility. I also agree that clarity in this program is necessary to allow all employees to be knowledgeable in this area and contribute best to the organization’s end goal.
Hi Zijian,
The strategic mandate you say aligns plans with IT and business strategy, while allowing and validating responses to changing laws and contracts. I also believe that regular reviews, revisions, action plans, and implementation of security controls are a good strategy to effectively avoid risk gaps. Risk aversion is also another way to protect information systems when danger occurs. If two measures are arranged to protect the system security, the ability of the system to deal with risks can be improved.
Implementing the process described to create a system security plan will provide an efficient way to characterize the most useful information describing systems. Having the information regarding systems owners with corresponding systems, information system type, operational statuses, legacy environments, and change logs, etc. will prove most useful as it allows for quick and effective identification of responsibilities of system owners, changes made to information systems, types of information and types of systems in place, etc. The more clearly outlined all of these items are, the more effective the security plan will be for the organization. While the entire document is important, it is interesting to see the system environment as it is described by NIST SP 800-18r1; identifying legacy systems and the associated information regarding their environments was one of the particularly interesting sections.
Hi Antonio,
I agree with you that the clearer all these items are, the more effective the security plan will be for the organization. Because of the clarity in the initial planning regulations, entering information data into the appropriate systems can increase efficiency. Providing information system owners with security controls for the information systems where security requirements are entered can reduce the frequency of information breaches.
Hi Antonio,
I have to agree with your statement. In a previous role, I was working with a vendor to build out a data center for a client. A system security plan was in place and well documented allowing us to understand who took on the role of system owner on days the individual was out or during employee rotations who help what roles and responsibilities. It’s a great living document that allows everyone to stay up to date about the system and the individuals responsible for maintaining them.
Antonio,
I agree with you. Having a System Security Plan in place is extremely important to the business. It includes clearly outlining the responsibilities of employees who work at the organization. More importantly, it can improve the efficiency of the organization’s decision.
There are 3 types of security controls Management, Operational, and Technical. Management controls are focused on managing the information system and the risk of the system. Operational control focuses on the security methods. This control is being used to improve the security of the system. Technical controls is focuses on the security controls that are being used within the system. Technical control can also be used as an automated to protect the system from any unauthorized access or misuse of the system.
Hi Vraj,
I agree that you can best experience the importance of a security program by making the three security controls the focus.
Hi Vraj,
Of the three types of controls you mention, is there one that holds precedence over the others, or do they all play an equal role in together safeguarding information systems? They all have their advantages when they are properly / well-implemented, as well as their disadvantages when they are poorly implemented. An easy example is an attacker exploiting a poorly managed or implemented technical control to gain unauthorized access to a system.
Hello Vraj,
I like your post so much. I also agree with you about three security controls management due to the fact that they are primarily focused on managing risks within an organizational information system.
A compensating control is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. Management, operational, or technical controls are employed by an agency in lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or comparable protection for an information system. Management security controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization’s security goals. Operational controls are security controls that are primarily implemented and executed by people (as opposed to systems) Technical controls, also known as logic controls, use technology to reduce vulnerabilities in hardware and software. Automated software tools are installed and configured to protect these assets.
Hello Kyuande,
That’s a great post. Those three security controls management, operational, and technical are important to secure the information systems. As securing the information system would be much easier since it will be shared between those three controls as you have mention in your post.
Kyuande,
Great explanation on your post! Another example of a technical controls can be firewalls, encryption, and multi-factor identification. Technical controls plays a big role in a company because it keeps the unauthorized users out from gaining access to a system or personal data.
HI Kyuande,
Thanks for your post! This is a great point. It is critical to understand the overall categorizations of security controls, as well as the impact/level of protection needed for assets requiring protection. FIPS 199 is a great resource in determining this.
This system security plan development document shows how important it is for a business to have proper organization, documentation, and controls when implementing their plan. By documenting personnel, operational status, system interconnections, etc., a system becomes easier to maintain and update. One of the most important documentations is the security objective potential impact because this directly affects the security controls in place. It is important to be honest and accurate in this classification to ensure necessary controls that protect an organization’s key functions and data.
Hi Patrick,
Clear, accessible documentation is critical for businesses to effectively scale. I like that your point speaking to the importance of documenting personnel. In my experience I have found maintaing updated contract matrices for the relevant information security personnel one of the most challenging tasks. However, being able to quickly identify who is the owner of an application, department or system is vital for incident response. Thanks for sharing your thoughts!
Kelly
The System Security Plan is overall an extremely important piece to have within a company. A System Security Plan is a roadmap for the organization’s cybersecurity program. Without the SSP, things can get out of our control and cost the organization more money. As stated in the reading, (3.13), are how the security controls for the applicable baseline are low-impact, moderate impact, and high impact. “For the low impact, an agency must employ the security controls from the low baseline of security controls defined in NISt SP 800-53 and must ensure that the minimum assurance requirements associated with the low baseline are satisfied. For moderate-impact, an agency must employe the security controls from the moderate baseline of security controls defined in NIST SP 800-53 and must ensure minimum assurance requirements associated with the moderate baseline are satisfied. For high impact, an agency must employ the security controls from the high baseline of security controls defined in NIST SP 800-53 and must ensure the minimum assurance requirements associated with the high baseline are satisfied.”
Security controls are also designed by management, operational, and technical. “Management controls are focused on the information system and the management risk for a system. Operational controls address security methods focusing on mechanisms primarily implemented and executed by people. Technical controls focus on security controls that the computer system executes.”
The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. Developing of a security plan primarily starts with the categorization of the system on assessment of its impact level through the use of FIPS 199 standard. The categorization of the system will be seen as a solid foundation to as the plan is being created and it is then used in determing system boundaries. FIPS 200 is used to provide the minimum-security requirements for federal information systems across various domains like access control. As part of guidelines of NIST SP-800, the system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Establishing developing a security plan, there is no need to reestablish the wheel. NIST provides standards and best practices on the format and what information needs to be associated to develop a comprehensive and effective security plan.
This document walks through how to develop a plan that follows the NIST framework. First you should identify and categorize the system. Next, you identify the system owner. This is one of the most important steps. If you can’t identify what’s on your network, you can’t protect it. So having an accurate data and system map is integral to designing your cybersecurity framework. Once you do this, you can gather more info about system type, operational status, and general purpose. Ultimately this should be an ongoing and continuous process as your environment and the threat landscape will continue to evolve.
Once you have a system inventory, you can also rate the impact of a breach on confidentiality, integrity, and availability so you can assess the overall severity in the event of a cybersecurity incident.
One key point that I took from NIST SP 800-18r1 “Guide for Developing Security Plans for Federal Information Systems” is that one of the most crucial parts of having a comprehensive SSP is keeping it updated. A good SSP is updated at least once a year, and many times should be updated even more frequently due to changes in the threat environment, changes in the industry that the business/organization is in, changes in the organization itself (e.g. new system owner, authorizing official, etc.), and more. A proficient SSP will always have the date it completed, the date it was authorized by the authorizing official, the date of every update completed, and the updated version number. An organization that does not update its SSP regularly will be at increased risk of a loss due to attack, and thus, increased risk of revenue/profit loss and key employees being fired or let go. This is why it is a main responsibility of the system owner, authorizing official, and other designated contacts to work together to maintain the security of their organization and security of their jobs.
NIST Special Publication 800-18 Revision 1 is a set of recommendations of The National Institute of Standards and Technology for developing security plans. System security planning aims to improve the protection of information systems. The purpose of the system security plan is to provide an overview of the system’s security requirements and describe the controls in place or planned for meeting those requirements. This guide provides basic information on how to prepare a system security plan and is designed to be adaptable in various organizational structures and used as a reference by those assigned responsibility for security planning activity.
NIST SP 800-18 Revision 1 is the guide for Developing Security Plans for Federal Information Systems is a set of recommendations of The National Institute of Standards and Technology for developing security plans.
This document provides a guideline for federal agencies to develop security plans that document the management, technical, and operational controls for national automated information systems.
NIST describes that the purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable.
https://ndisac.org/dibscc/implementation-and-assessment/security-plans-and-assessments/system-security-plans/