1 / 64

Preparing a System Security Plan

Preparing a System Security Plan. Overview. Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification. What is a System Security Plan (SSP) ? The SSP is the user’s guide for operating your system.

onawa
Download Presentation

Preparing a System Security Plan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preparing a System Security Plan

  2. Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification

  3. What is a System Security Plan (SSP)? • The SSP is the user’s guide for operating your system. • The SSP contains specific procedures and processes. • Has two parts: Written instructions and a technical information. • The written instruction provides all the explanations and steps necessary for a non-technical user to operate the system. • The profile only list the technical information.

  4. Pitfalls to avoid • Failure to submit a cover letter • Not providing detailed information • Use of generic phrases e.g. If feasible, When applicable, If possible, etc • Referring users to the profile for additional explanations

  5. Pitfalls to avoid • Failure to submit all required documents • Completely re-writing a plan instead of only making suggested changes • Failure to verify information in SSP to the profile

  6. Required Documents • Cover Letter • SSP • Profile • Certification • Network Security Plans or MOA/MOU for outside connections • Customer letters • Approved Variance letters

  7. Preparing the Security Plan

  8. Cover Page • Revision Log

  9. Cover Page Requirements • Facility Name and address • Cage Code • Type of Plan • Protection Level • Operating Environment • Outside Connections • Date and Revision number • Revision Log • Must be completed with each revision.

  10. 1. Introduction

  11. Introduction • Purpose • Identifies the purpose of the document • Identifies the purpose of the System • List of Attachments

  12. Introduction • Scope • Identifies the range of operations • Protection Level • Classification Level • Confidentiality, Integrity, Availability • Type of system • Categories of Information and formal access requirements • Operating Environment • Alternate Site Processing

  13. 2. Personnel Management

  14. Personnel Responsibilities • Contractor Management • How is the security policy supported by Management • ISSM Responsibilities • May be listed exactly from the NISPOM • ISSO Responsibilities • May be listed exactly from the NISPOM or may be tailored to what you want this person to do. • If using the ISSO Delegation Record, compare duties.

  15. Personnel Responsibilities • Users • Privileged Users • Other than the ISSM and ISSO. • What are these users allowed to do on your system. • General Users • What are these users allowed to do on your system

  16. 3. Certification and Accreditation

  17. Certification and Accreditation • Certification • Explain your certification process • Accreditation • Explain the accreditation process • Reaccreditation • Explain when reaccreditation is required and the process

  18. Certification and Accreditation • Certification of Similar Systems • Certification process • Define a similar system • Security Testing • Purpose • Describe the frequency • Self Inspections • Describe the frequency • Explain what will be inspected

  19. 4. System Identification and Requirements (SIRS)

  20. System Identification and Requirements Specification This is the beginning of the technical information and procedures for your system. • Pure Servers (8-503) • Provides non interactive service (e.g. messaging service) • No user access • No user code

  21. System Identification and Requirements Specification • Tactical, Embedded, Data Acquisition, and Special Purpose Systems (8-504) • No General users • No user code • Mobile Systems (8-308) • A system that is used for classified processing outside your facilities cage code. • May be at another Contractor or a Government site

  22. 5. Protection Measures

  23. Protection Measures • Accounts and Logons • Identification and Management • Are logons being used • Explain how you create unique user IDs • Explain how authenticators (passwords) are created and passed to the user

  24. Protection Measures • Accounts and Logons • Requirements for Passwords • Identify password length • Password lifetime • Password complexity • Guidelines for User Generated Passwords • Explain the requirements users are to follow

  25. Protection Measures • Accounts and Logons • Generic or Group Accounts • Are these accounts authorized • Explain the purpose • Explain the access procedures

  26. Protection Measures • Session Controls • Logon Banner Requirements • Are you using the most current banner • How is the banner displayed • Action to remove the banner

  27. Protection Measures • Session Controls • Successive Logon Attempt Controls • Are they controlled? • Define the number of unsuccessful logon attempts before the account is locked • Explain your procedures for unlocking an account • System Entry Conditions • Explain how a user accesses the system

  28. Protection Measures • Access Controls • Explain what technical and physical controls are in place to protect the system. • BIOS Protection • Boot Sequence • Seals • Removable Hard drive protection

  29. Protection Measures • Audit Requirements • Frequency of Audits • Audit Configuration and Settings • Audit Management Overflow • Manual Logs required to be audited • List procedures if a variance is approved

  30. Protection Measures • System Recovery and Assurances • Explain how you are going to recover and certify your system in a controlled manner • Virus and Malicious Code Detection • Explain how you will detect malicious code • Explain procedures for updating antivirus definition files • Data Transmission Protection • Explain how data is transmitted

  31. Protection Measures • Clearance and Sanitization • Clearing • Authorized • Method used • Sanitization • Authorized • Method used

  32. Protection Measures • Protection Measure Variances • Identify any approved variances • Include a copy of the letter in the profile

  33. Personnel Security

  34. Personnel Security • Personnel Access to IS • Identify specific requirements users must meet before accessing the system • Security Education • Initial Training Requirements • Explain your training requirements • Ongoing IS Security Education Programs • Describe your ongoing security education program

  35. 7. Physical Security

  36. Physical Security • Operating Environment • You cannot identify multiple operating environments. • Briefly describe your environment

  37. 8. Maintenance

  38. Maintenance • Facility Maintenance Policy • Describe how maintenance will be performed and by whom • Cleared Maintenance Personnel • Uncleared Maintenance Personnel • Explain procedures for using uncleared personnel

  39. 9. Media Controls

  40. Media Controls • Classified Media • Define and provide examples • Protected Media • Define and provide examples • Unclassified or Lower Classified Media • Define and explain its use • Media Destruction • Explain how media is destroyed.

  41. 10. Output Procedures

  42. Output Procedures • Hardcopy Output Review • Define and provide procedures for review • Verify with hardware list to ensure you have a printer identified • Media Review and Trusted Downloading • Authorized • Method used • DSS Approved procedures • Non Approved procedures

  43. 11. Upgrade and Downgrade Procedures

  44. Upgrade and Downgrade Procedures • These procedures are required if operating in a Restricted Area, MPF, when using removable hard drives, or when performing periods processing • Procedures are specific to each system • Upgrade/Startup Procedure • Compare to your Upgrade Log • Downgrade/Shutdown Procedure • Compare to your Downgrade Log • Periods Processing • Authorized

  45. 12. Markings

  46. Marking • IS Hardware Components • List the documents that govern marking • Classified marking requirements • Markings for co-located systems

  47. Marking • Media • Unclassified Media Markings • Classified Media Markings • Overall classification level • Applicable special markings e.g. NATO, • Unclassified Title • Creation date • Derived from • Declassify on

  48. 13. Configuration Management Plan and System Configuration

  49. Configuration Management Plan and System Configuration • Configuration Management (CM) • The Configuration Management Program ensures that protection features are implemented and maintained on the system. This includes a formal change control process of all security relevant aspects of the system. • Specify who is responsible for authorizing security relevant changes • Explain how changes are documented • Explain how the CM process is evaluated and frequency

  50. Configuration Management Plan and System Configuration • System Configuration • Hardware Description • Provide a generic description of your hardware e.g. Desktops, laptops, networked, non networked, etc. • List only the equipment that applies to your system • Hardware Requirements • Identify requirements that must be met prior to processing

More Related