Separation of powers and Rules of Behavior are crucial for system security planning. The system security plan first classifies information and then establishes baseline security controls. FIPS 200 provides seventeen minimum security requirements for federal information and information systems, and NIST SP 800-53 and security control measures selected for designated impact levels of information systems to meet the minimum-security requirements in this standard. Security is usually planned through compensatory control and general security control, and security control measures are selected to meet at least the minimum requirements of FIPS 200. After formulating the plan, it is also necessary to regularly review and update it.
In this chapter, the system security plan is described, and its purpose is to provide an overview of the security needs of the system and to describe the controls that are in place or planned to meet those needs. The system security plan also describes the responsibilities and expected behaviors of all individuals accessing the system.
The article argues that project managers, system owners, and security personnel in an organization must understand the system security planning process. Users of information systems and those responsible for defining system requirements should also be familiar with the system security planning process. And it provides related guidance on how to prepare a system security plan in accordance with applicable federal requirements for basic information.
The purpose of information security governance is to ensure that agencies are proactively implementing appropriate information security controls to support their mission in a cost-effective manner, while managing evolving information security risks. As such, information security governance has its own set of requirements,challenges, activities, and types of possible structures. Information security governance also has a defining role in identifying key information security roles and responsibilities, and it influences information security policy development and oversight and ongoing monitoring activities.To ensure an appropriate level of support of agency missions and the proper implementation of current and future information security requirements, each agency
should establish a formal information security governance structure.Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and
regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage.
NIST SP 800-100 is a guideline issued by the National Institute of Standards and Technology for U.S. government agencies and organizations. After learning the basic concepts, we understand how to adapt strategies for risk management.
I want to point out is that the critical role of enterprise architecture in aligning business processes, IT infrastructure, and overall organizational requirements. The reading emphasizes that enterprise architecture serves as a framework for organizing the logic necessary for both business operations and IT systems. It standardizes the requirements of the company’s operating model, facilitating efficiency, consistency, and adaptability.
The four levels of architecture outlined – business process architecture, data or information-based architecture, application-based architecture, and technology architecture – highlight the comprehensive nature of enterprise architecture. Each level addresses specific aspects of the organization’s operations, from defining business capabilities and processes to managing data and applications, and establishing the underlying infrastructure. And it highlights the significance of strategic planning and alignment across business processes, data management, applications, and technology infrastructure to drive organizational success and competitiveness.
I believe that the purpose of the system security plan is to outline the security requirements of the system and state the controls implemented or planned to be implemented to meet these requirements. The system security plan also specifies the responsibilities and expected behavior of all individuals accessing the system. It should reflect the input of the various managers responsible for the system, including the information owner, the system owner and the agency’s senior information security Officer.
Chapter 8 of the NIST 800-100 Information Security Handbook emphasizes the importance of conducting post-incident reviews and incorporating lessons learned into the organization’s incident response procedures. One of the most striking points is the recommendation to perform a “hot wash” immediately after an incident response to identify immediate improvements that can be made. This rapid feedback loop allows organizations to quickly adapt and improve their incident response capabilities based on real-world experience. Additionally, the chapter highlights the need for thorough post-incident analyses to identify root causes and systemic issues that contributed to the incident. By continuously improving incident response processes through feedback and analysis, organizations can become more resilient to future security incidents.
Management authorization should be based on an assessment of management, operational, and technical controls. Since the system security plan establishes and documents the security controls, it should form the basis for the authorization, supplemented by the assessment report and the POA&Ms. In addition, a periodic review of controls should also contribute to future authorizations. Reauthorization should occur prior to a significant change in processing, but at least every three years.
The FedRAMP System Security Program (SSP) High Baseline Template provides a comprehensive template for cloud service providers to fully understand everything from provider inventories and attack surfaces to controls and mitigations. It provides very detailed requirements for the subscriber to track controls on an ongoing basis. In the control summary information form, the user can select the implementation status and control initiation. It also has a template that explains what the solution is and how to implement it. I was surprised that the details are the minimum security controls section.
Today’s rapidly changing technology environment requires federal agencies to adopt minimum security controls to protect their information and information systems. The purpose of a system security plan is to provide an overview of a system’s security requirements and to describe the controls in place or planned to meet those requirements.
Project managers, system owners, and security personnel in the organization must understand the system security planning process. In addition, users of the information system and those responsible for defining system requirements should also be familiar with the system security planning process because the system security plan is an important deliverable in the System Development Life Cycle (SDLC) process.
NIST SP 800-100 emphasizes that information security is an ongoing process, not just a one-time task or project. This means that organizations need to continually assess, monitor, and improve their information security practices in order to adapt to changing technology and business environments. The concepts and practices of risk management are also discussed, emphasizing the importance of identifying, assessing, mitigating, and monitoring information security risks. This helps organizations to understand the specific threats and vulnerabilities they face and take appropriate measures to mitigate the risks.
Information security is a constantly developing and evolving field, with new threats and vulnerabilities emerging, and organizations need to stay on top of new technologies and security practices and continue to learn and improve their information security capabilities.
After reading chapter 8 I learned that the objective of system security planning is to improve the protection of information system resources.The protection of a system must be documented in a system security plan.It is very important for a senior management official to authorize a system to process information.The authorization process will provides a good quality control.Management authorization must based on an assessment of management,technical controls,and operational.Also,a periodic review of controls should also contribute to future authorizations.
After reading the article, I learned that the goal of system security planning is to improve the protection of information system resources, and this process should be continuously promoted. This requires organizations to design, monitor, practice and improve information security processes and practices so that they can adapt to changing internal and external environments and threats. Chapter 8 of the NIST 800-100 Information Security Manual also emphasizes the importance of responding immediately after a threatened attack or incident. This is very conducive to improving the organization’s ability to respond to events later.
The main thrust of this article is that even if a system security program has been certified or implemented, its ongoing maintenance and updating is still critical. Due to the ever-changing nature of technology, organizations often find that their security programs no longer meet the latest security standards or requirements. When changes such as staff turnover, infrastructure upgrades, system architecture adjustments, or business expansion occur within an organization, it is imperative that its security program be revised and improved in a timely manner.
To address these challenges, every organization should have a mechanism in place to ensure that the relevant documents always reflect the latest situation and are in line with industry best practices. In addition, we need to think of the system security plan as a “dynamic” document, as security threats often evolve at a rate that matches, and sometimes even faster than, our defenses. As a result, we must be constantly vigilant in adapting and optimizing our security strategy to ensure that we are able to effectively address potential security risks at all times.
NIST 800 100 Information Security Handbook Chapter 8 is about security planning. After reading this chapter, what impressed me most was the approval of the system security plan. These include : system boundary analysis and safety controls, safety controls, scope of application guidelines, compensatory controls, and general safety controls.
NIST 800 100 Information Security Handbook Chapter 8 is about security planning. After reading this chapter, what impressed me most was the approval of the system security plan. These include: system boundary analysis and safety controls, safety controls, scope of application guidelines, compensatory controls, and general safety controls.
The purpose of information security governance and the system security plan is to ensure the proactive implementation of appropriate information security controls that align with business objectives and support agency missions in a cost-effective manner. This involves managing evolving information security risks, identifying key information security roles and responsibilities, and influencing the development and oversight of information security policies and ongoing monitoring activities. To achieve this, a formal information security governance structure should be established, defining the framework, supporting management structure, and processes to ensure alignment with business objectives, compliance with applicable laws and regulations, and the assignment of responsibility. The system security plan outlines the security requirements of the system, specifies the controls implemented or planned to meet these requirements, and defines the responsibilities and expected behavior of all individuals accessing the system. It should incorporate inputs from various managers responsible for the system, including the information owner, system owner, and the agency’s senior information security officer. Together, these components provide a comprehensive approach to managing information security and ensuring the protection of critical systems and data.
NIST SP 800-100 is the development of information system security management outline, which covers the responsibilities and rights of each role in security management, scope definition and how to control.
After reading this chapter, what poped in my mind is that it could also be beneficial for companies to establish some variation of an acceptable use policy on a department to department basis. This document, which could be some kind of standard operating procedure (SOP) or quick reference guide (QRG), wouldn’t have to be as formalized but it could help close any potential rules of behavior gaps in the overarching acceptable use policy.
This chapter is about security planning. After reading this chapter, what impressed me most was the approval of the system security plan. These include: system boundary analysis and safety controls, safety controls, scope of application guidelines, compensatory controls, and general safety controls.
NIST 800 100 Information Security Handbook Chapter 8 is about security planning. What struck me the most after reading this chapter was the adoption of the system security program, which includes: system boundary analysis and security controls, security controls, application scope guidelines, compensating controls, and general security controls.
This chapter is about security planning. What struck me the most after reading this chapter was the adoption of the system security program, which includes: system boundary analysis and security controls, security controls, application scope guidelines, compensating controls, and general security controls.
This chapter lists all the roles and responsibilities of the parties involved in the system security planning process. Some of the roles mentioned in the reading were the Chief Information Officer who is responsible for such things as developing and maintaining information security policies, procedures, and control techniques to address system security planning. The CIO is also responsible for identifying and developing common security controls for the agency. The information system owner is responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system. A final role mentioned was the information owner. The information owner establishes the rules for the appropriate use and protection of the subject data/information. This person also is responsible for deciding who has access to the information system and determines what types of privileges are access rights are associated with it. The goal of system security planning is to improve the protection of the information resources.
Information security management: Supervise and make necessary decisions to achieve business goals by protecting an organization’s information assets. Information security management is manifested through the development and use of information security policies, procedures, and guidelines, which are then applied by all relevant personnel throughout the organization.
Risk assessment includes:
System Characterization
Threat Identification
Vulnerability Identification
Risk Analysis
Control Analysis
Control Recommendations
Results Documentation
The network security plan mainly includes the following aspects:
1. Information security policy: Develop and implement a clear set of letters
Information security policy, clarifying the organization’s commitment and expectations for information security.
2. Risk assessment: Conduct a comprehensive risk assessment of the organization’s information assets, identify potential threats and vulnerabilities, and determine corresponding risk management strategies.
3. Security awareness training: Conduct regular security awareness training to enhance employees’ awareness and understanding of information security, enabling them to identify and respond to potential security threats.
4. Security control measures: Implement appropriate security control measures, including access control, identity authentication, encryption, firewalls, etc., to protect the confidentiality, integrity, and availability of information assets.
5. Event response plan: Establish and test emergency response plans to respond to safety incidents and accidents, take timely measures to reduce losses, and restore normal business operations.
6. Security monitoring and evaluation: Establish a security monitoring and evaluation mechanism, regularly inspect and evaluate the security of information systems, and discover and fix potential security vulnerabilities.
7. Continuous improvement: Establish a cycle of continuous improvement, continuously improve and refine information security plans through monitoring and evaluating results to adapt to constantly changing threats and risks.
The handbook is based on relevant information security laws and regulations, including the Klinger-Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and the Office of Management and Budget (OMB) ‘s A-130 Circular. Its purpose is to help managers understand how to select and implement appropriate safety controls and to clarify the results of compliance with safety requirements.
Overall, the Information Security manual is an important tool that can help organizations improve information security, reduce security risks, and protect the security of their business and data.
Information security governance is a systematic management method designed to protect the information assets of an enterprise and ensure its confidentiality, integrity and availability. The importance of information security governance is that it can help enterprises to identify, evaluate and manage the risks and threats of information assets, so as to take corresponding measures to reduce risks and monitor and review the operation of information system.
This chapter describes basic information on how to prepare a system security program based on appropriate requirements. Today’s rapidly changing technological environment requires organizations to employ a minimum set of security controls to protect their information and information systems. The purpose of a system security plan is to outline the security requirements for a system and to describe the controls implemented or planned to meet those requirements. The system security plan also describes the responsibilities and expected behavior of all individuals accessing the system. It should reflect the views of the various managers responsible for the system, including the information owner, the system owner, and the SAISO. Organizations may, at their discretion, include additional information in the basic plan and add sections to the basic format specified here, as long as the major components described in this document are adequately covered and easily identifiable. Project managers, system owners, and security personnel in the organization must understand the system security planning process. In addition, users of the information system and those responsible for defining system requirements should also be familiar with the system security planning process because the system security plan is an important deliverable in the System Development Life Cycle (SDLC) process. Those responsible for implementing and managing information systems must be involved in addressing the security controls applied to their systems.
The rules of behavior, which are required in OMB Circular A-130, Appendix III, and are also a form of security control found in NIST SP 800-53, should clearly delineate responsibilities and expected behavior of all individuals with access to the system. The rules should state the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for system access.
The purpose of a system security plan is to provide an overview of system security requirements and describe the control measures developed or planned to meet these requirements. The system security plan also specifies the responsibilities and expected behaviors of all individuals accessing the system. Project managers, system owners, and security personnel within the organization must understand the system security planning process. The system security plan includes:
1. Main Applications, General Support Systems: All information systems must be included in the system security plan and marked as Main Applications (MA) or General Support Systems (GSS);
2. Security planning roles and responsibilities: Each organization should develop policies related to the system security planning process. The system security plan is a live document that requires regular review and modification, as well as an action plan and milestone (POA&M) for implementing security controls;
3. Behavior rules: Clearly define the responsibilities of all users, the expected use and behavior of the system; Clarify the consequences of non compliant behavior;
4. Approval of System Security Plan: Organizational policy stipulates that authorized officials independent of the system owner are responsible for approving the system security plan;
5. Security control selection: Before developing a system security plan, the information system and the information within it must be classified based on FIPS199 impact analysis. Then, baseline security controls can be customized based on an assessment of risks and local conditions
6. Completion and Approval Date: Provide the completion date of the system security plan, which should be updated every time the plan is regularly reviewed and updated; Completion date;
7. Continuous system security plan maintenance: Once the information system security plan is recognized, it must be regularly evaluated; Review any changes in system status, functionality, design, etc; And ensure that the plan continues to reflect the correct information about the system.
Great point Xiduo. The FIPS 199 security categorization seems to be recurring piece of information provided in the federal guidelines. Perhaps, because security categorization sets the entire risk management framework in motion, where the designated impact levels of CIA determines the controls selected, implemented, assessed, authorized and monitored.
Confidentiality:
1. Confidentiality refers to ensuring that only authorized users can access sensitive information and preventing unauthorized individuals or entities from obtaining or disclosing such information.
2. Potential impact:
(1)Protect sensitive information from unauthorized access and prevent information leakage or theft.
(2)Comply with laws and regulations, especially those related to personal privacy and confidential information.
(3)Enhance trust with customers, partners and stakeholders, and enhance the reputation and competitiveness of the organization.
Integrity:
1. Integrity refers to ensuring that information is not subject to unauthorized modification, tampering or damage during transmission, processing and storage.
2. Potential impact:
(1)Prevent data from being tampered with or damaged to ensure the accuracy and credibility of information.
(2)Protect critical systems and business data against business loss or legal liability due to data tampering.
(3)Improve the reliability of data and enhance users’ trust and dependence on information.
Availability:
1. Availability refers to ensuring that information and information systems are available when needed and can resist various unexpected events and malicious attacks.
2. Potential impact:
(1)Ensure the continuous availability of critical business functions and services and prevent service interruption or unavailability due to system failures or attacks.
(2)Improve user satisfaction and ensure that they have timely access to the information and services they need.
(3)Reduce business risk and reduce losses and costs due to service disruption or unavailability.
This manual defines information security governance, which can be used in the decision-making process for developing information security projects. A broad overview of information security program elements is provided to help managers understand how to establish and implement an information security program.
Information Security Governance is the process of: To manage risk, establish and maintain a framework that supports management structures and processes to ensure that the information security strategy is aligned with and supports business objectives, aligns with applicable laws and regulations through compliance with policies and internal controls, and assigns related responsibilities.
Shijie Yang says
Separation of powers and Rules of Behavior are crucial for system security planning. The system security plan first classifies information and then establishes baseline security controls. FIPS 200 provides seventeen minimum security requirements for federal information and information systems, and NIST SP 800-53 and security control measures selected for designated impact levels of information systems to meet the minimum-security requirements in this standard. Security is usually planned through compensatory control and general security control, and security control measures are selected to meet at least the minimum requirements of FIPS 200. After formulating the plan, it is also necessary to regularly review and update it.
Xiaozhi Shi says
In this chapter, the system security plan is described, and its purpose is to provide an overview of the security needs of the system and to describe the controls that are in place or planned to meet those needs. The system security plan also describes the responsibilities and expected behaviors of all individuals accessing the system.
The article argues that project managers, system owners, and security personnel in an organization must understand the system security planning process. Users of information systems and those responsible for defining system requirements should also be familiar with the system security planning process. And it provides related guidance on how to prepare a system security plan in accordance with applicable federal requirements for basic information.
Yuanjun Xie says
The purpose of information security governance is to ensure that agencies are proactively implementing appropriate information security controls to support their mission in a cost-effective manner, while managing evolving information security risks. As such, information security governance has its own set of requirements,challenges, activities, and types of possible structures. Information security governance also has a defining role in identifying key information security roles and responsibilities, and it influences information security policy development and oversight and ongoing monitoring activities.To ensure an appropriate level of support of agency missions and the proper implementation of current and future information security requirements, each agency
should establish a formal information security governance structure.Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and
regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage.
Xinyi Peng says
NIST SP 800-100 is a guideline issued by the National Institute of Standards and Technology for U.S. government agencies and organizations. After learning the basic concepts, we understand how to adapt strategies for risk management.
Shuting Zhang says
I want to point out is that the critical role of enterprise architecture in aligning business processes, IT infrastructure, and overall organizational requirements. The reading emphasizes that enterprise architecture serves as a framework for organizing the logic necessary for both business operations and IT systems. It standardizes the requirements of the company’s operating model, facilitating efficiency, consistency, and adaptability.
The four levels of architecture outlined – business process architecture, data or information-based architecture, application-based architecture, and technology architecture – highlight the comprehensive nature of enterprise architecture. Each level addresses specific aspects of the organization’s operations, from defining business capabilities and processes to managing data and applications, and establishing the underlying infrastructure. And it highlights the significance of strategic planning and alignment across business processes, data management, applications, and technology infrastructure to drive organizational success and competitiveness.
Guanhua Xiao says
I believe that the purpose of the system security plan is to outline the security requirements of the system and state the controls implemented or planned to be implemented to meet these requirements. The system security plan also specifies the responsibilities and expected behavior of all individuals accessing the system. It should reflect the input of the various managers responsible for the system, including the information owner, the system owner and the agency’s senior information security Officer.
Hongli Ma says
Chapter 8 of the NIST 800-100 Information Security Handbook emphasizes the importance of conducting post-incident reviews and incorporating lessons learned into the organization’s incident response procedures. One of the most striking points is the recommendation to perform a “hot wash” immediately after an incident response to identify immediate improvements that can be made. This rapid feedback loop allows organizations to quickly adapt and improve their incident response capabilities based on real-world experience. Additionally, the chapter highlights the need for thorough post-incident analyses to identify root causes and systemic issues that contributed to the incident. By continuously improving incident response processes through feedback and analysis, organizations can become more resilient to future security incidents.
Chun Liu says
Management authorization should be based on an assessment of management, operational, and technical controls. Since the system security plan establishes and documents the security controls, it should form the basis for the authorization, supplemented by the assessment report and the POA&Ms. In addition, a periodic review of controls should also contribute to future authorizations. Reauthorization should occur prior to a significant change in processing, but at least every three years.
Xiaozhi Shi says
The FedRAMP System Security Program (SSP) High Baseline Template provides a comprehensive template for cloud service providers to fully understand everything from provider inventories and attack surfaces to controls and mitigations. It provides very detailed requirements for the subscriber to track controls on an ongoing basis. In the control summary information form, the user can select the implementation status and control initiation. It also has a template that explains what the solution is and how to implement it. I was surprised that the details are the minimum security controls section.
Xiaozhi Shi says
Today’s rapidly changing technology environment requires federal agencies to adopt minimum security controls to protect their information and information systems. The purpose of a system security plan is to provide an overview of a system’s security requirements and to describe the controls in place or planned to meet those requirements.
Project managers, system owners, and security personnel in the organization must understand the system security planning process. In addition, users of the information system and those responsible for defining system requirements should also be familiar with the system security planning process because the system security plan is an important deliverable in the System Development Life Cycle (SDLC) process.
Yawen Du says
NIST SP 800-100 emphasizes that information security is an ongoing process, not just a one-time task or project. This means that organizations need to continually assess, monitor, and improve their information security practices in order to adapt to changing technology and business environments. The concepts and practices of risk management are also discussed, emphasizing the importance of identifying, assessing, mitigating, and monitoring information security risks. This helps organizations to understand the specific threats and vulnerabilities they face and take appropriate measures to mitigate the risks.
Information security is a constantly developing and evolving field, with new threats and vulnerabilities emerging, and organizations need to stay on top of new technologies and security practices and continue to learn and improve their information security capabilities.
Haoran Wang says
After reading chapter 8 I learned that the objective of system security planning is to improve the protection of information system resources.The protection of a system must be documented in a system security plan.It is very important for a senior management official to authorize a system to process information.The authorization process will provides a good quality control.Management authorization must based on an assessment of management,technical controls,and operational.Also,a periodic review of controls should also contribute to future authorizations.
Yiwei Hu says
After reading the article, I learned that the goal of system security planning is to improve the protection of information system resources, and this process should be continuously promoted. This requires organizations to design, monitor, practice and improve information security processes and practices so that they can adapt to changing internal and external environments and threats. Chapter 8 of the NIST 800-100 Information Security Manual also emphasizes the importance of responding immediately after a threatened attack or incident. This is very conducive to improving the organization’s ability to respond to events later.
Shuyi Dong says
The main thrust of this article is that even if a system security program has been certified or implemented, its ongoing maintenance and updating is still critical. Due to the ever-changing nature of technology, organizations often find that their security programs no longer meet the latest security standards or requirements. When changes such as staff turnover, infrastructure upgrades, system architecture adjustments, or business expansion occur within an organization, it is imperative that its security program be revised and improved in a timely manner.
To address these challenges, every organization should have a mechanism in place to ensure that the relevant documents always reflect the latest situation and are in line with industry best practices. In addition, we need to think of the system security plan as a “dynamic” document, as security threats often evolve at a rate that matches, and sometimes even faster than, our defenses. As a result, we must be constantly vigilant in adapting and optimizing our security strategy to ensure that we are able to effectively address potential security risks at all times.
Yujie Cao says
NIST 800 100 Information Security Handbook Chapter 8 is about security planning. After reading this chapter, what impressed me most was the approval of the system security plan. These include : system boundary analysis and safety controls, safety controls, scope of application guidelines, compensatory controls, and general safety controls.
Yujie Cao says
NIST 800 100 Information Security Handbook Chapter 8 is about security planning. After reading this chapter, what impressed me most was the approval of the system security plan. These include: system boundary analysis and safety controls, safety controls, scope of application guidelines, compensatory controls, and general safety controls.
Zhang Yunpeng says
The purpose of information security governance and the system security plan is to ensure the proactive implementation of appropriate information security controls that align with business objectives and support agency missions in a cost-effective manner. This involves managing evolving information security risks, identifying key information security roles and responsibilities, and influencing the development and oversight of information security policies and ongoing monitoring activities. To achieve this, a formal information security governance structure should be established, defining the framework, supporting management structure, and processes to ensure alignment with business objectives, compliance with applicable laws and regulations, and the assignment of responsibility. The system security plan outlines the security requirements of the system, specifies the controls implemented or planned to meet these requirements, and defines the responsibilities and expected behavior of all individuals accessing the system. It should incorporate inputs from various managers responsible for the system, including the information owner, system owner, and the agency’s senior information security officer. Together, these components provide a comprehensive approach to managing information security and ensuring the protection of critical systems and data.
Xuanwen Zheng says
NIST SP 800-100 is the development of information system security management outline, which covers the responsibilities and rights of each role in security management, scope definition and how to control.
Yue Ma says
After reading this chapter, what poped in my mind is that it could also be beneficial for companies to establish some variation of an acceptable use policy on a department to department basis. This document, which could be some kind of standard operating procedure (SOP) or quick reference guide (QRG), wouldn’t have to be as formalized but it could help close any potential rules of behavior gaps in the overarching acceptable use policy.
Yujie Cao says
This chapter is about security planning. After reading this chapter, what impressed me most was the approval of the system security plan. These include: system boundary analysis and safety controls, safety controls, scope of application guidelines, compensatory controls, and general safety controls.
Yujie Cao says
NIST 800 100 Information Security Handbook Chapter 8 is about security planning. What struck me the most after reading this chapter was the adoption of the system security program, which includes: system boundary analysis and security controls, security controls, application scope guidelines, compensating controls, and general security controls.
Yujie Cao says
This chapter is about security planning. What struck me the most after reading this chapter was the adoption of the system security program, which includes: system boundary analysis and security controls, security controls, application scope guidelines, compensating controls, and general security controls.
Yue Wang says
This chapter lists all the roles and responsibilities of the parties involved in the system security planning process. Some of the roles mentioned in the reading were the Chief Information Officer who is responsible for such things as developing and maintaining information security policies, procedures, and control techniques to address system security planning. The CIO is also responsible for identifying and developing common security controls for the agency. The information system owner is responsible for the overall procurement, development, integration, modification, and operation and maintenance of the information system. A final role mentioned was the information owner. The information owner establishes the rules for the appropriate use and protection of the subject data/information. This person also is responsible for deciding who has access to the information system and determines what types of privileges are access rights are associated with it. The goal of system security planning is to improve the protection of the information resources.
Zhaomeng Wang says
Information security management: Supervise and make necessary decisions to achieve business goals by protecting an organization’s information assets. Information security management is manifested through the development and use of information security policies, procedures, and guidelines, which are then applied by all relevant personnel throughout the organization.
Risk assessment includes:
System Characterization
Threat Identification
Vulnerability Identification
Risk Analysis
Control Analysis
Control Recommendations
Results Documentation
Zhaomeng Wang says
The network security plan mainly includes the following aspects:
1. Information security policy: Develop and implement a clear set of letters
Information security policy, clarifying the organization’s commitment and expectations for information security.
2. Risk assessment: Conduct a comprehensive risk assessment of the organization’s information assets, identify potential threats and vulnerabilities, and determine corresponding risk management strategies.
3. Security awareness training: Conduct regular security awareness training to enhance employees’ awareness and understanding of information security, enabling them to identify and respond to potential security threats.
4. Security control measures: Implement appropriate security control measures, including access control, identity authentication, encryption, firewalls, etc., to protect the confidentiality, integrity, and availability of information assets.
5. Event response plan: Establish and test emergency response plans to respond to safety incidents and accidents, take timely measures to reduce losses, and restore normal business operations.
6. Security monitoring and evaluation: Establish a security monitoring and evaluation mechanism, regularly inspect and evaluate the security of information systems, and discover and fix potential security vulnerabilities.
7. Continuous improvement: Establish a cycle of continuous improvement, continuously improve and refine information security plans through monitoring and evaluating results to adapt to constantly changing threats and risks.
Chenhao Zhang says
The handbook is based on relevant information security laws and regulations, including the Klinger-Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and the Office of Management and Budget (OMB) ‘s A-130 Circular. Its purpose is to help managers understand how to select and implement appropriate safety controls and to clarify the results of compliance with safety requirements.
Overall, the Information Security manual is an important tool that can help organizations improve information security, reduce security risks, and protect the security of their business and data.
Hao Zhang says
Information security governance is a systematic management method designed to protect the information assets of an enterprise and ensure its confidentiality, integrity and availability. The importance of information security governance is that it can help enterprises to identify, evaluate and manage the risks and threats of information assets, so as to take corresponding measures to reduce risks and monitor and review the operation of information system.
Hao Li says
This chapter describes basic information on how to prepare a system security program based on appropriate requirements. Today’s rapidly changing technological environment requires organizations to employ a minimum set of security controls to protect their information and information systems. The purpose of a system security plan is to outline the security requirements for a system and to describe the controls implemented or planned to meet those requirements. The system security plan also describes the responsibilities and expected behavior of all individuals accessing the system. It should reflect the views of the various managers responsible for the system, including the information owner, the system owner, and the SAISO. Organizations may, at their discretion, include additional information in the basic plan and add sections to the basic format specified here, as long as the major components described in this document are adequately covered and easily identifiable. Project managers, system owners, and security personnel in the organization must understand the system security planning process. In addition, users of the information system and those responsible for defining system requirements should also be familiar with the system security planning process because the system security plan is an important deliverable in the System Development Life Cycle (SDLC) process. Those responsible for implementing and managing information systems must be involved in addressing the security controls applied to their systems.
The rules of behavior, which are required in OMB Circular A-130, Appendix III, and are also a form of security control found in NIST SP 800-53, should clearly delineate responsibilities and expected behavior of all individuals with access to the system. The rules should state the consequences of inconsistent behavior or noncompliance and be made available to every user prior to receiving authorization for system access.
Yuming He says
The purpose of a system security plan is to provide an overview of system security requirements and describe the control measures developed or planned to meet these requirements. The system security plan also specifies the responsibilities and expected behaviors of all individuals accessing the system. Project managers, system owners, and security personnel within the organization must understand the system security planning process. The system security plan includes:
1. Main Applications, General Support Systems: All information systems must be included in the system security plan and marked as Main Applications (MA) or General Support Systems (GSS);
2. Security planning roles and responsibilities: Each organization should develop policies related to the system security planning process. The system security plan is a live document that requires regular review and modification, as well as an action plan and milestone (POA&M) for implementing security controls;
3. Behavior rules: Clearly define the responsibilities of all users, the expected use and behavior of the system; Clarify the consequences of non compliant behavior;
4. Approval of System Security Plan: Organizational policy stipulates that authorized officials independent of the system owner are responsible for approving the system security plan;
5. Security control selection: Before developing a system security plan, the information system and the information within it must be classified based on FIPS199 impact analysis. Then, baseline security controls can be customized based on an assessment of risks and local conditions
6. Completion and Approval Date: Provide the completion date of the system security plan, which should be updated every time the plan is regularly reviewed and updated; Completion date;
7. Continuous system security plan maintenance: Once the information system security plan is recognized, it must be regularly evaluated; Review any changes in system status, functionality, design, etc; And ensure that the plan continues to reflect the correct information about the system.
Chunqi Liu says
Great point Xiduo. The FIPS 199 security categorization seems to be recurring piece of information provided in the federal guidelines. Perhaps, because security categorization sets the entire risk management framework in motion, where the designated impact levels of CIA determines the controls selected, implemented, assessed, authorized and monitored.
Yi Liu says
Confidentiality:
1. Confidentiality refers to ensuring that only authorized users can access sensitive information and preventing unauthorized individuals or entities from obtaining or disclosing such information.
2. Potential impact:
(1)Protect sensitive information from unauthorized access and prevent information leakage or theft.
(2)Comply with laws and regulations, especially those related to personal privacy and confidential information.
(3)Enhance trust with customers, partners and stakeholders, and enhance the reputation and competitiveness of the organization.
Integrity:
1. Integrity refers to ensuring that information is not subject to unauthorized modification, tampering or damage during transmission, processing and storage.
2. Potential impact:
(1)Prevent data from being tampered with or damaged to ensure the accuracy and credibility of information.
(2)Protect critical systems and business data against business loss or legal liability due to data tampering.
(3)Improve the reliability of data and enhance users’ trust and dependence on information.
Availability:
1. Availability refers to ensuring that information and information systems are available when needed and can resist various unexpected events and malicious attacks.
2. Potential impact:
(1)Ensure the continuous availability of critical business functions and services and prevent service interruption or unavailability due to system failures or attacks.
(2)Improve user satisfaction and ensure that they have timely access to the information and services they need.
(3)Reduce business risk and reduce losses and costs due to service disruption or unavailability.
Haixu Yao says
This manual defines information security governance, which can be used in the decision-making process for developing information security projects. A broad overview of information security program elements is provided to help managers understand how to establish and implement an information security program.
Information Security Governance is the process of: To manage risk, establish and maintain a framework that supports management structures and processes to ensure that the information security strategy is aligned with and supports business objectives, aligns with applicable laws and regulations through compliance with policies and internal controls, and assigns related responsibilities.