Unit 1b – Planning and Policy

Readings:

• Boyle and Panko, Chapter 2 Planning and Policy
• NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, Chapter 8 – Security Planning, pp.67-77
• NIST SP800-60V1R1: “Guide for Mapping Types of Information and Information Systems to Security Categories”, pp.1-34
• FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems”, pp.1-9

Reference:

• NIST SP800-60V2R1: “Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories”
• NIST SP 800-53r5 “Security and Privacy Controls for Information Systems and Organizations”
• NIST SP 800-53Ar5 “Assessing Security and Privacy Controls for Information and Information Systems”
• NIST SP 800-53B “Control Baselines for Information Systems and Organizations”

Exercise 1:

How would you approach assessing the completeness (breadth and depth) of the Generic Information Security Policy example?

• Generic Information Security Policy Example

Exercise 2:

Find a preliminary categorization for the following information system and adjust the categorization based on your analysis – present justifications for both preliminary and adjusted categorizations

Purpose: The system has two overarching purposes:

1. 1. For clients it is a system intended to help understand sewage and storm water collection and treatment systems (i.e. pipe networks, pump stations, and treatment plants) and their capacities, overflow characteristics and controls
   2. For the firm the system is intended to provide revenue through pay by clients for direct use of the service(s) of the system

Users:

1. 1. Municipal and regional water and sewer utilities and governmental organizations will use the system to help plan capital improvement, operations, and maintenance of sewer systems (i.e. sewage treatment plants and sewage collection networks)
   2. External consultants helping municipal and regional water and sewer utilities plan capital improvement, operations, and maintenance of sewer systems
   3. The firm’s technical information system development staff will work directly on the information system to provide, maintain, enhance and extend the services of the information system to (1) and (2)