Regular updates to system security plans are crucial, especially when there are changes in ownership, architecture, or system status (Section 3.16, “Ongoing System Security Plan Maintenance”). What strategies can organizations adopt to ensure that updates to system security plans are timely, accurate, and reflective of real-time changes in the operational environment?
Chapter 10 of NIST SP 800-100 does not address modern threats such as advanced persistent threats (APTs), ransomware, and supply chain attacks. Furthermore, it offers limited guidance on managing risks associated with emerging technologies like cloud computing, the Internet of Things (IoT), and artificial intelligence (AI). What recommendations could this chapter provide to effectively adapt risk management strategies to these evolving threats and organizational changes?
One individual often fills multiple roles in the security planning process especially in mid-size or small organizations, in practical; how do organizations ensures that the individual retains an appropriate level of independence and remains free from conflicts of interest.
How much effort should we reasonably put into personnel contingencies? In NIST SP 800-18r1 much of the decision making process falls to one person by default. Obviously in an actual corporate environment there will be a detailed hierarchy, and flow of responsibility, but how many layers should that hierarchy have and how often should we as security auditors push to update those responsibilities and assign new contingencies.
What level of management is involved in developing the System Security Plan (SSP)? How does that look in a large organization compared to a smaller organization? Many times, the subject matter expert is not a c-suite employee.
How do the duties and functions of the information system owner and the information owner intersect, and what makes collaboration between these two roles essential for an effective system security plan?
Great question Charles! An information owner focuses on the data itself, defining its sensitivity, protection needs, classification and access control, while an information system owner focuses on the technical system used to store and manage that data. He is responsible for the entire lifecycle of a system that processes that data, including procurement, development, operation, and maintenance, their collaboration in identifying critical data, assigning appropriate security controls, and ensuring the plan aligns with organizational security policies is essential for an effective system security plan.
After reading Chapter 10 of NIST SP 800-100, which of the six steps involved in the Identification and Assessment of Risk do you believe would be the most challenging, and why?
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Risk Analysis
5. Control Recommendations
6. Results documentation
I believe the risk analysis portion would be the most difficult as it would require a combination of qualitative and quantitative approaches to calculating the risks of operations, analysis of the level of motivation a threat source has, potential threats and vulnerabilities, and the impact on a system and the controlling organization if one or more security controls fail. No other step involves the calculation and input of other modules quiet like option 4.
I think SSPs should be reviewed at least annually or whenever there are significant changes to the system. It’s only stressful if the plan hasn’t been maintained properly over time. In our readings, the importance of continuous monitoring was emphasized, which helps identify and address potential issues as they arise. If the department is proactive about keeping the plan up to date and monitoring the system regularly, it should make the review process much easier and far less stressful.
How available should System Security Plans (SSP) be? Since they may contain highly sensitive information about systems containing confidential information, should they be protected with a form of Attribute based access control (ABAC)? Which operation controls as part of the minimum security controls within the NIST SP 800-18 would you assume would be the least utilized?
Regular updates to system security plans are crucial, especially when there are changes in ownership, architecture, or system status (Section 3.16, “Ongoing System Security Plan Maintenance”). What strategies can organizations adopt to ensure that updates to system security plans are timely, accurate, and reflective of real-time changes in the operational environment?
Chapter 10 of NIST SP 800-100 does not address modern threats such as advanced persistent threats (APTs), ransomware, and supply chain attacks. Furthermore, it offers limited guidance on managing risks associated with emerging technologies like cloud computing, the Internet of Things (IoT), and artificial intelligence (AI). What recommendations could this chapter provide to effectively adapt risk management strategies to these evolving threats and organizational changes?
One individual often fills multiple roles in the security planning process especially in mid-size or small organizations, in practical; how do organizations ensures that the individual retains an appropriate level of independence and remains free from conflicts of interest.
How much effort should we reasonably put into personnel contingencies? In NIST SP 800-18r1 much of the decision making process falls to one person by default. Obviously in an actual corporate environment there will be a detailed hierarchy, and flow of responsibility, but how many layers should that hierarchy have and how often should we as security auditors push to update those responsibilities and assign new contingencies.
How can system security plans evolve to adequately address the security challenges introduced by impending technologies like artificial intelligence?
What level of management is involved in developing the System Security Plan (SSP)? How does that look in a large organization compared to a smaller organization? Many times, the subject matter expert is not a c-suite employee.
How do the duties and functions of the information system owner and the information owner intersect, and what makes collaboration between these two roles essential for an effective system security plan?
Great question Charles! An information owner focuses on the data itself, defining its sensitivity, protection needs, classification and access control, while an information system owner focuses on the technical system used to store and manage that data. He is responsible for the entire lifecycle of a system that processes that data, including procurement, development, operation, and maintenance, their collaboration in identifying critical data, assigning appropriate security controls, and ensuring the plan aligns with organizational security policies is essential for an effective system security plan.
After reading Chapter 10 of NIST SP 800-100, which of the six steps involved in the Identification and Assessment of Risk do you believe would be the most challenging, and why?
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Risk Analysis
5. Control Recommendations
6. Results documentation
Hello Eric,
I believe the risk analysis portion would be the most difficult as it would require a combination of qualitative and quantitative approaches to calculating the risks of operations, analysis of the level of motivation a threat source has, potential threats and vulnerabilities, and the impact on a system and the controlling organization if one or more security controls fail. No other step involves the calculation and input of other modules quiet like option 4.
With emerging cybersecurity threats, how often do you think SSPs need to be reviewed, and how difficult/stressful do you think that process is?
Hi Vincenzo,
I think SSPs should be reviewed at least annually or whenever there are significant changes to the system. It’s only stressful if the plan hasn’t been maintained properly over time. In our readings, the importance of continuous monitoring was emphasized, which helps identify and address potential issues as they arise. If the department is proactive about keeping the plan up to date and monitoring the system regularly, it should make the review process much easier and far less stressful.
How do system interconnections, as described in the FedRAMP and NIST guidelines, affect an organization’s ability to manage security risks?
How available should System Security Plans (SSP) be? Since they may contain highly sensitive information about systems containing confidential information, should they be protected with a form of Attribute based access control (ABAC)? Which operation controls as part of the minimum security controls within the NIST SP 800-18 would you assume would be the least utilized?