Chapter 8 had a lot of similarities to Chapter 10 regarding the concepts of Information Security System planning. I think a couple of key takeaways are how many stakeholders are required to oversee, authorize, plan and implement the system security plan is quite impressive. Although there is sometimes significant overlap in roles, multiple roles must be included to ensure enterprise awareness and adoption. Another takeaway, paired with our FIPS 200 reading, is that it is becoming more apparent how these documents work together to create the system security plan by defining the minimum levels of security and then using the NIST 800-53 to dial those specifics countermeasures
One of the biggest takeaways from this reading was the use of compensating controls when implementing security controls. NIST prescribes different security controls to be implemented in the FIPS 200-detailed 17 security areas. Security, however, is not a “one size fits all” concept; not every organization will be able to implement the exact best practices in NIST 800-53 guidelines. In those cases, compensating controls should be used (and more than likely are often used)–making understanding of this concept key to an IT auditor’s toolbox.
Completely agree, not every organization can afford or requires an expensive EDR solution however, ensuring some AV is installed on devices helps to mitigate attacks. Compensating controls can help organizations determine how to ensure a minimum baseline of coverage is applied without overly complicating the control and helps with being cost-effective. Thanks!
The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.
There are specific roles and responsibilities in information system security planning.
The chief information officer (CIO) is responsible for developing and maintaining an agency-wide information security program. The information system owner is responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system. The information owner is the agency official with statutory or operational authority for specified information and is responsible for establishing the controls for information generation, collection, processing, dissemination, and disposal. The SAISO is the agency official responsible for serving as the CIO’s primary liaison to the agency’s information system owners and ISSOs. The ISSO is the agency official assigned responsibility by the SAISO, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program.
For security planning roles and responsibilities, the CISO (Chief Information Security Officer) is a C-level employee tasked with overseeing the company’s security strategy. Typical CISO responsibilities include:
Planning long-term security strategies, planning and implementing data loss prevention measures.
Managing access.
Ensuring that the company implements appropriate safeguards to meet compliance requirements.
Investigate any incidents and prevent them from occurring in the future, assess security risks, and arrange security awareness training.
One highlight of NIST SP 800-100 Chapter 8 is the importance of roles and responsibilities in system security planning. Each of the roles provide accountability for system security planning, and some of these roles include the Chief Information Officer, Information System Owners, and Information System Security Officer. The CIO is responsible for maintaining and improving the organization’s information security program. Information system owners are responsible for developing the system security plan along with information owners, maintaining the system security plan, and ensuring that appropriate training is received by system users and support personnel.
I understand the importance of what you say about roles and responsibilities in system security planning. Different roles have different responsibilities, and in general they exist to ensure that information systems maintain an appropriate operational security state and maintain system security plans.
My biggest takeaway from chapter 8 of NIST SP 800-100 is that the different security planning roles have their corresponding responsibilities. the chief information officer is the agency official responsible for developing and maintaining agency-wide information, while the senior agency information security officer is responsible for serving as the CIO’s primary liaison with agency information system owners and ISSOs. The chief information officer is the agency official responsible for developing and maintaining agency-wide information, while the senior agency information security officer is the agency official responsible for serving as the CIO’s primary liaison with agency information system owners and ISSOs. The Information System Security Officer designates the responsible agency official who manages the information system owner to ensure that the information system maintains an appropriate state of operational security. Agencies have widely varying missions and organizational structures, and naming conventions for security planning-related roles and how related responsibilities are distributed among agency personnel may vary. Agencies should have policies regarding the system security planning process.
The chapter in the Information Security Handbook explains a broad outlook of information
security program matters that are meant to assist managers in understanding how to establish and
implement, and monitor information security program, especially, the organization make sure that the program proffer overall responsibility to enable the proper selection and implementation of
appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The chapter went on by saying that the purpose of information security governance is to enable agency that is proactively and effectively implementing suitable information security measures to assist their mission in a cost-effective manner, while managing changing information security risks appropriately. Hence, information security governance has its own set of demands, obstacles, activities, and types of possible structures. Information security governance also has a defining role in establishing major information security roles and responsibilities, and it influences information security policy development and oversight and ongoing monitoring activities within an organization in regard to security planning issues.
For employee security awareness and training, there are three main phases for proper execution: design, develop, and implement. During the design phase, you should identify the training needs of the organization, establish priorities, and and seek buy-in. During the development phase, you should create material based on what behavior you want to reinforce and the skills you want your audience to learn and apply. You should make this material as specific as possible to the employee’s everyday job. This will allow them to more obviously realize the connection between the material and their work. The third phase is implementation. During this phase, the training program should be fully explained and supported by the organization. You should tailor your implementation based on the size and complexity of your organization. What is the best method for disseminating the information? Is it live lectures, interactive web training, video training, or something else?
Hi Madalyn,
I agree with your wholeheartedly on your fantastic assessment of employees’ training and education within an organizational outlook. This is so because as employees are indeed humans, improving their information security literacy is a must. Information technology security awareness training educates employees about common scams, like email attachments containing malware, and phishing emails that request personal information.
Starting on Page 8 through 12, the article states the responsibilities of each roles. The roles include: agency head, CIO, senior agency information security officer, and related roles. Additionally, the article suspects: inspector general, CFO, Chief Privacy Officer, Physical Security Officer, Personnel Security Officer, and acquisitions/contracting.
The individuals are responsible for working together and ensuring the information security exists with their company’s responsibilities. For example, the Chief Enterprise Architect is responsible for leading agency enterprise architecture development and implementation efforts, collaborating with lines of business within the agency to ensure proper integration of lines of business into enterprise architecture, working closely with program managers, senior agency information security officer, and business owners to make sure technical requirements are addressed by applying the FEA and Security & Privacy Profile, etc. (Page 10).
The primary idea that suck with me after reading NIST SP 800-100 Chapter 8 is that before a security plan and minimum security controls are decided on and implemented, this plan goes through the hands of many different people with power. For example, the following entities may all review and give input regarding a system security plan and minimum controls before they are published; the CIO, information system owner, information owner, SAISO (senior agency information system officer), ISSO (information system security officer), and potentially more. Although these positions have similar names and all have job tasks related to information security, their degree of seniority differ, which means that responsibility that they have and responsiveness to their input differ also. Due to this idea, for a government agency or organization with highly sensitive data to pass an information security plan and define minimum security controls, there is a large degree of confidence that it is sufficient in mitigating risk.
NIST SP 800-100 (Information Security Handbook) is an overview of the essential and required information security elements to assist managers in understanding how to establish an information security program. Typically, organizations look to information security programs to ensure accurate selection and implementation of required security controls and to demonstrate the effectiveness of satisfying their stated security requirements
The purpose of NIST SP 800-100 is to inform members of the information security management team about information security expectations to be implemented and overseen in their various organizations. The handbook guides a unified approach to information security programs across the federal government. Even though this document is federal sector-centric, the directory can also guide various other non-governmental, organizational, or institutional security requirements.
Chapter 8 had a lot of similarities to Chapter 10 regarding the concepts of Information Security System planning. I think a couple of key takeaways are how many stakeholders are required to oversee, authorize, plan and implement the system security plan is quite impressive. Although there is sometimes significant overlap in roles, multiple roles must be included to ensure enterprise awareness and adoption. Another takeaway, paired with our FIPS 200 reading, is that it is becoming more apparent how these documents work together to create the system security plan by defining the minimum levels of security and then using the NIST 800-53 to dial those specifics countermeasures
One of the biggest takeaways from this reading was the use of compensating controls when implementing security controls. NIST prescribes different security controls to be implemented in the FIPS 200-detailed 17 security areas. Security, however, is not a “one size fits all” concept; not every organization will be able to implement the exact best practices in NIST 800-53 guidelines. In those cases, compensating controls should be used (and more than likely are often used)–making understanding of this concept key to an IT auditor’s toolbox.
Hi Lauren,
Completely agree, not every organization can afford or requires an expensive EDR solution however, ensuring some AV is installed on devices helps to mitigate attacks. Compensating controls can help organizations determine how to ensure a minimum baseline of coverage is applied without overly complicating the control and helps with being cost-effective. Thanks!
Kelly
The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.
There are specific roles and responsibilities in information system security planning.
The chief information officer (CIO) is responsible for developing and maintaining an agency-wide information security program. The information system owner is responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system. The information owner is the agency official with statutory or operational authority for specified information and is responsible for establishing the controls for information generation, collection, processing, dissemination, and disposal. The SAISO is the agency official responsible for serving as the CIO’s primary liaison to the agency’s information system owners and ISSOs. The ISSO is the agency official assigned responsibility by the SAISO, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program.
For security planning roles and responsibilities, the CISO (Chief Information Security Officer) is a C-level employee tasked with overseeing the company’s security strategy. Typical CISO responsibilities include:
Planning long-term security strategies, planning and implementing data loss prevention measures.
Managing access.
Ensuring that the company implements appropriate safeguards to meet compliance requirements.
Investigate any incidents and prevent them from occurring in the future, assess security risks, and arrange security awareness training.
One highlight of NIST SP 800-100 Chapter 8 is the importance of roles and responsibilities in system security planning. Each of the roles provide accountability for system security planning, and some of these roles include the Chief Information Officer, Information System Owners, and Information System Security Officer. The CIO is responsible for maintaining and improving the organization’s information security program. Information system owners are responsible for developing the system security plan along with information owners, maintaining the system security plan, and ensuring that appropriate training is received by system users and support personnel.
Hi Antonio,
I understand the importance of what you say about roles and responsibilities in system security planning. Different roles have different responsibilities, and in general they exist to ensure that information systems maintain an appropriate operational security state and maintain system security plans.
My biggest takeaway from chapter 8 of NIST SP 800-100 is that the different security planning roles have their corresponding responsibilities. the chief information officer is the agency official responsible for developing and maintaining agency-wide information, while the senior agency information security officer is responsible for serving as the CIO’s primary liaison with agency information system owners and ISSOs. The chief information officer is the agency official responsible for developing and maintaining agency-wide information, while the senior agency information security officer is the agency official responsible for serving as the CIO’s primary liaison with agency information system owners and ISSOs. The Information System Security Officer designates the responsible agency official who manages the information system owner to ensure that the information system maintains an appropriate state of operational security. Agencies have widely varying missions and organizational structures, and naming conventions for security planning-related roles and how related responsibilities are distributed among agency personnel may vary. Agencies should have policies regarding the system security planning process.
The chapter in the Information Security Handbook explains a broad outlook of information
security program matters that are meant to assist managers in understanding how to establish and
implement, and monitor information security program, especially, the organization make sure that the program proffer overall responsibility to enable the proper selection and implementation of
appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The chapter went on by saying that the purpose of information security governance is to enable agency that is proactively and effectively implementing suitable information security measures to assist their mission in a cost-effective manner, while managing changing information security risks appropriately. Hence, information security governance has its own set of demands, obstacles, activities, and types of possible structures. Information security governance also has a defining role in establishing major information security roles and responsibilities, and it influences information security policy development and oversight and ongoing monitoring activities within an organization in regard to security planning issues.
For employee security awareness and training, there are three main phases for proper execution: design, develop, and implement. During the design phase, you should identify the training needs of the organization, establish priorities, and and seek buy-in. During the development phase, you should create material based on what behavior you want to reinforce and the skills you want your audience to learn and apply. You should make this material as specific as possible to the employee’s everyday job. This will allow them to more obviously realize the connection between the material and their work. The third phase is implementation. During this phase, the training program should be fully explained and supported by the organization. You should tailor your implementation based on the size and complexity of your organization. What is the best method for disseminating the information? Is it live lectures, interactive web training, video training, or something else?
Hi Madalyn,
I agree with your wholeheartedly on your fantastic assessment of employees’ training and education within an organizational outlook. This is so because as employees are indeed humans, improving their information security literacy is a must. Information technology security awareness training educates employees about common scams, like email attachments containing malware, and phishing emails that request personal information.
Starting on Page 8 through 12, the article states the responsibilities of each roles. The roles include: agency head, CIO, senior agency information security officer, and related roles. Additionally, the article suspects: inspector general, CFO, Chief Privacy Officer, Physical Security Officer, Personnel Security Officer, and acquisitions/contracting.
The individuals are responsible for working together and ensuring the information security exists with their company’s responsibilities. For example, the Chief Enterprise Architect is responsible for leading agency enterprise architecture development and implementation efforts, collaborating with lines of business within the agency to ensure proper integration of lines of business into enterprise architecture, working closely with program managers, senior agency information security officer, and business owners to make sure technical requirements are addressed by applying the FEA and Security & Privacy Profile, etc. (Page 10).
The primary idea that suck with me after reading NIST SP 800-100 Chapter 8 is that before a security plan and minimum security controls are decided on and implemented, this plan goes through the hands of many different people with power. For example, the following entities may all review and give input regarding a system security plan and minimum controls before they are published; the CIO, information system owner, information owner, SAISO (senior agency information system officer), ISSO (information system security officer), and potentially more. Although these positions have similar names and all have job tasks related to information security, their degree of seniority differ, which means that responsibility that they have and responsiveness to their input differ also. Due to this idea, for a government agency or organization with highly sensitive data to pass an information security plan and define minimum security controls, there is a large degree of confidence that it is sufficient in mitigating risk.
NIST SP 800-100 (Information Security Handbook) is an overview of the essential and required information security elements to assist managers in understanding how to establish an information security program. Typically, organizations look to information security programs to ensure accurate selection and implementation of required security controls and to demonstrate the effectiveness of satisfying their stated security requirements
The purpose of NIST SP 800-100 is to inform members of the information security management team about information security expectations to be implemented and overseen in their various organizations. The handbook guides a unified approach to information security programs across the federal government. Even though this document is federal sector-centric, the directory can also guide various other non-governmental, organizational, or institutional security requirements.