Premium Essay

System Security Plan

In: Science

Submitted By tritech23
Words 1354
Pages 6
Name:
Professor’s name:
Course:
Date:

Introduction
System security plan document describe all the possible system security control measures, their application status and how they are implemented. It can therefore facilitates the implementation of security processes by guiding the individual involved in this process.
This document addresses the first version of system security plan (SSP) of automated banking system. The purpose of this report is to describe the controls that are in place or are in the plan, the expected behavior and the responsibilities of the individuals who uses or access the system. The document structures the planning process of implementing the security control procedures to provide adequate security and cost-effective security protection for the system. Management, operational and technical controls have been identified and discussed in details. The different family of system security controls are defined and discussed comprehensively how their implementation status and how they are implemented.

DOCUMENT CHANGE CONTROL

Version | Release Date | Summary of Changes | Addendum Number | Name | Version 1 | 22/4/2015 | | 1 | System security plan 1 |

SYSTEM IDENTIFICATION
Automated banking system is a company application system that has been categorized as a primary system according to FIPS 199. ABS will reside on a window 7 platform and has been deployment since 4/5/2013

This SSP will be part of the certification and accreditation (C&A) package submitted to and accepted by the Certifier and the Designated Approving Authority (DAA), who will approve the system to operate

System Owner Name: | HKK | Office Symbol: | | Title: | System developers | Agency: | XYZ |...

Similar Documents

Free Essay

A Study of the Causes of the Failure of the National Security Personnel System

...of the Failure of the National Security Personnel System Andre Zephrine M. Pantaleo, Ph.D., M.B.A. Strayer University April 25, 2010 Context of the Problem The National Security Personnel System (NSPS) is a pay system based upon the caveat of being paid for performance. It was created in 2006 through Congressional authorization especially for the Department of Defense (DoD). Implementation of the system began in 2006 as a replacement for the General Schedule grade and step (GS) system used by the rest of the federal government. NSPS’s policies differ concerning hiring, reassignment, pay, promotion, tenure and recognition. Under the GS system, there are automatic pay increases which do not exist under NSPS. On October 29, 2009, President Obama signed legislation that repealed NSPS and restored DoD employees to the GS pay system. Full implementation of the switch back to the GS system is to occur no later than January 1, 2012. This research proposal proposes that NSPS did not succeed because of poor consideration for review boards, self evaluation, and allowances of discrimination through intention – speculatively – and more importantly unintentionally. This research proposal also posits that because of adverse impacts, similar systems would also be unsuccessful. Statement of the Problem The National Security Personnel System (NSPS) is a pay-for-performance pay system which replaced the General Schedule (GS) grade and step system for the Department of......

Words: 4626 - Pages: 19

Premium Essay

Information Assurance

...Framework Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Enterprise Risk Key activities in managing enterprise-level risk—risk resulting from the operation of an information system: Categorize the information system Select set of minimum (baseline) security controls Refine the security control set based on risk assessment Document security controls in system security plan Implement the security controls in the information system Assess the security controls Determine agency-level risk and risk acceptability Authorize information system operation Monitor security controls on a continuous basis NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Risk Management Framework Starting Point CATEGORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security State Continuously track changes to the information system that may affect security controls and reassess control effectiveness. SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Security Life Cycle AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. IMPLEMENT Security Controls Implement security......

Words: 723 - Pages: 3

Premium Essay

Risk Management Plan

...Introduction: Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information. This necessitates: • Maintaining situation awareness of all systems across the organization; • Maintaining an understanding of threats and threat activities; • Assessing all security controls; • Collecting, correlating, and analyzing security-related information; • Providing actionable communication of security status across all tiers of the organization; and • Active management of risk by organizational officials. Purpose: The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities,......

Words: 4395 - Pages: 18

Premium Essay

Final Information Security Policy

...1. Executive Summary 2 2. Introduction 3 2.1 Company Overview 3 2.2 Security Policy Overview 4 2.3 Security policy goals 4 2.3.1 Confidentiality 4 2.3.2 Integrity 5 2.3.3 Availability 5 3. Disaster Recovery Plan 6 3.1 Risk Assessment 6 3.1.1Critical Business Processes 7 3.1.2 Internal, external, and environmental risks 7 3.2 Disaster Recovery Strategy 8 3.3 Disaster Recovery Test Plan 8 3.3.1 Walk-throughs 8 3.3.2 Simulations 9 3.3.3 Checklists 9 3.3.4 Parallel testing 9 3.3.5 Full interruption 9 4. Physical Security Policy 10 4.1 Security of the building facilities 10 4.1.1Physical entry control 10 4.1.2 Security offices, rooms and facilities 11 4.13.Isolated delivery and loading areas 12 4.2 Security of the information systems 12 4.2.1Workplace protections 12 4.2.2Unused ports and cabling 13 4.2.3 Network/server equipment 13 4.2.4 Equipment maintenance 13 4.2.5 Security of laptops/roaming equipment 13 5. References 14 Executive Summary The objective of this proposal is to present the information security policy created for Bloom Design Group. The issue of a company’s network security continues to be crucial because the results of data loss or significant system failure can be disastrous for a company. An alarming number of companies fail to realize how vulnerable their network is to internal, external, and environmental risks. One of the top priorities of an organization should be......

Words: 3568 - Pages: 15

Premium Essay

Ccsecurity Mp Outlin

...SECURITY MASTER PLAN OUTLINE for CHABOT LAS POSITAS Community College District Submitted by: CATALYST Consulting Group, Inc. 851 Napa Valley Corporate Way, Suite D Napa, CA 94558 In Association With: DMJM, Program Management For Measure B Bond Program 6601 Owens Drive, Suite 238 Pleasanton, CA 94588 May 2, 2005 9/21/2005 2 SECURITY MASTER PLAN OUTLINE Chabot Community College District This outline presents the fundamental topics of the Security Master Plan, an independent document incorporated by reference into the TBP Architecture District Master Plan for the Chabot College campus new construction and building improvements. To develop the Security Master Plan, CATALYST has first performed numerous site surveys and interviews, analyzed crime index data, reviewed the relevant technologies, and assessed the campus physical environment to define the risks and vulnerabilities that need to be addressed for a long-term vision of campus security. From this goal set, CATALYST has developed the guidelines and recommendations for the District to standardize the approach and cost of physical security on their campuses. The Security Master Plan will include the topic sections listed in the outline following. The primary intent of the Security Master Plan is to define security mitigation standards that integrate efficiently with new building construction and building improvements, saving upgrade costs today by planning for the campus of tomorrow. By first......

Words: 1345 - Pages: 6

Premium Essay

It Apradise

...Information Systems| 1.1Security CategorizationUsing either FIPS 199 or CNSS 1253, categorize the information system. The completed categorization should be included in the security plan.|Not done|As highlighted in the risk assessment, there is no security plan done (p.18). Add the security categorization information to the security plan.The security categorization that was completed in the risk assessment can be included in the security plan. The full categorization can be found on pp. 14-16. The categorization done in the risk analysis is based on FIPS 199.|FIPS 199 for nonnational security systems, CNSS 1253 for national security systems| 1.2Information System DescriptionIs a description of the information system included in the security plan?|||| 1.3Information System RegistrationIdentify offices that the information system should be registered with. These can be organizational or management offices.|||| RMF Step 2: Select Security Controls| 2.1Common Control IdentificationDescribe common security controls in place in the organization. Are the controls included in the security plan? |||| 2.2Security Control SelectionAre selected security controls for the information system documented in the security plan?|||| 2.3Monitoring StrategyWhat security control monitoring strategies should be used to protect the information system and its environment of operation? |||| 2.4Security Plan ApprovalHas the security plan been reviewed and approved?|||| RMF Step 3: Implement......

Words: 540 - Pages: 3

Premium Essay

Securing Information

...to the security requirements of your information system? From the very earliest stages of planning for the development of the system to its final disposal is the advice of the National Institute of Standards and Technology (NIST).  By considering security early in the information system development life cycle (SDLC), you may be able to avoid higher costs later on and develop a more secure system from the start.  The System Development Life Cycle (SDLC) The system development life cycle starts with the initiation of the system planning process, and continues through system acquisition and development, implementation, operations and maintenance, and ends with disposition of the system. Specific decisions about security must be made in each of these phases to assure that the system is secure.   The organization develops its initial definition of the problem that could be solved through automation.   Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage.  During this initiation phase, the organization establishes the security categorization and conducts a preliminary risk assessment for the planned information system.  Categorization of the information system using federal standards and guidelines aids system security planners in defining information system security according to levels of impact, and in selecting a baseline of initial security......

Words: 1328 - Pages: 6

Premium Essay

Cap Study Guide

...behavior)? a. System owner 2. Who has the authority to formally assume responsibility for operating an information system at an acceptable level of risk? a. Accrediting Authority 3. Who is responsible for ensuring that the appropriate operational security posture is maintained for an information system and in many organizations is assigned responsibility for the day-to-day security operations of a system? a. Information System Security officer 4. Who is responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls? a. system owner, and/or the senior agency information security officer 5. Who is the highest-level senior official or executive within an organization with the overall responsibility to provide information security protections commensurate with the risk and magnitude or harm? a. The head of agency (or chief executive officer) 6. The six steps of the Risk Management Framework and what occurs on each step. a. Step 1: Categorize i. Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. b. Step 2: Select i. Select an initial set of baseline security controls for the information system based on the security categorization;......

Words: 5295 - Pages: 22

Premium Essay

Information Technology/Network Security Threats

...Protecting systems against various systems threats such as passwords and cracking tools with brute force or attacks into the system by gaining authentication for access rights including a password, policy, to educate the users. SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE. Each information security environments unique, unless modified to adapt to meet the organization’s needs. The System Development Life Cycle (SDLC) the system development life cycle starts with the initiation of the system planning process, and continues through system acquisition and development, implementation, operations and maintenance, and ends with disposition of the system. Service decisions about security made in each of these phases to assure that the system is secure. The initiation phase begins with a determination of need for the system. The organization develops its initial definition of the problem that solved through automation. This followed by a preliminary concept for the basic system that needed, a preliminary definition of requirements, and feasibility and technology assessments. Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage. The information developed in these early analyses used to estimate the costs for the entire life cycle of the system, including information system security. An investment analysis ......

Words: 1444 - Pages: 6

Premium Essay

Security Policy & Standard, Task 2

...Health Body Wellness Center Information Security Management System (ISMS) File:FYT2_Task2 Health Body Wellness Center (HBWC) promotes medical research, evaluation, and sharing of information between health care professionals. The HBWC’s Office of Grants Giveaway (OGG) provides for the distribution of federally supported medical grants. OGG uses a Microsoft Access database program called Small Hospital Tracking System (SHGTS) to manage the medical grant distribution process. A risk assessment of SHGTS was conducted to evaluate vulnerabilities and establish a baseline of potential threats. This document will outline an ISMS plan for HBWC and provide recommendation of additional steps needed to implement and maintain this plan. Use of the ISO 27000 series certification process will provide a framework for the ISMS. The Plan-Do-Check-Act (PDCA) model provides a step-by-step process for planning, implementing, and management of the ISMS plan. The ISMS outline, network drawing, and additional recommended steps will be discussed below. A1. Business Objectives The first step of any ISMS is the identification of the business objects that need to be included in the planning and maintenance of an organization. Listed below are HBWC’s major objects to be considered when developing ISMS. (Arnason, S, & Willett, K.D, 2008) Staff: Basic users, RAS users, Administrators, Executives, and Database Administrators roles, access levels, and responsibility should be......

Words: 1741 - Pages: 7

Premium Essay

Pricinples of Information Security, Chapter 5 Review Questions

...1. How can a security framework assist in the design and implementation of a security infrastructure? Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets.  A framework is the outline from which a more detailed blueprint evolves.  The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies.  The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years.  The blueprint is used to plan the tasks to be accomplished and the order in which to proceed. What is information security governance? Governance is “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”1 Governance describes the entire process of governing, or controlling, the processes used by a group to accomplish some objective. Just like governments, corporations and other organizations have guiding documents—corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination......

Words: 4589 - Pages: 19

Premium Essay

Understanding Nist 800‐37  Fisma Requirements 

... NIST Risk Management Framework for FISMA ..................................................................... 4  III. Application Security and FISMA .......................................................................................... 5  IV. NIST SP 800‐37 and FISMA .................................................................................................. 6  V. How Veracode Can Help ...................................................................................................... 7  VI. NIST SP 800‐37 Tasks & Veracode Solutions ....................................................................... 8  VII. Summary and Conclusions ............................................................................................... 10  About Veracode .................................................................................................................... 11                                      © 2008 Veracode, Inc.  2        Overview  The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. §  3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐ Government Act of 2002 (Pub.L. 107‐347, 116 Stat. 2899). The Act is meant to  bolster computer and network security within the Federal Government and  affiliated parties (such as government contractors) by mandating information ......

Words: 2451 - Pages: 10

Premium Essay

Free

...Management Objectives 3 2.2 Assumptions and Constraints 3 2.2.1 Access Control 4 2.2.2 Authentication 4 2.2.3 HSPD-12 Personnel Security Clearances 4 2.2.4 Non-Disclosure Agreements 5 2.2.5 Accessibility 5 2.2.6 Data 5 2.2.7 Confidentiality, Security, and Privacy 5 2.3 Tasks/Sub-Tasks to Be Performed Related to Initiating the Service 6 2.3.1 Task 1: 6 2.3.2 Task 2: 7 2.4 Period of Performance 7 3 PERFORMANCE MANAGEMENT OF THE DELIVERED SERVICES 8 3.1 Modifications to Service Level Agreements 8 3.2 Changes to Key Performance Measures. 8 3.3 Quality Assurance Evaluation 8 3.4 Government Roles and Responsibilities. 9 3.4.1 Contracting Officer (CO) 9 3.4.2 Contract Specialist 9 3.4.3 Contracting Officer’s Technical Representative (COTR) 10 3.4.4 Other Key Government Personnel 10 3.5 Contractor Roles and Responsibilities 10 4 METHODS OF QUALITY ASSURANCE SURVEILLANCE 11 5 SECURITY REQUIREMENTS 11 5.1 Required Policies and Regulations for GSA Contracts 11 5.2 GSA Security Compliance Requirements 13 5.3 Certification and Accreditation (C&A) Activities 13 5.3.1 Certification of System 14 5.3.2 Accreditation of System 15 5.4 Reporting and Continuous Monitoring 16 5.4.1 Deliverables to be provided to the GSA COTR/ISSO/ISSM Quarterly 16 ......

Words: 7425 - Pages: 30

Premium Essay

Health Body Wellness Center

...Health Body Wellness Center Information Security Management System (ISMS) File:FYT2_Task2 By Thomas A. Groshong Sr Page   Health Body Wellness Center (HBWC) promotes medical research, evaluation, and sharing of information between health care professionals . The HBWC’s Office of Grants Giveaway (OGG)  provides for the distribution of federally supported medical grants. OGG uses a Microsoft Access database program called Small Hospital Tracking System (SHGTS) to manage the medical grant distribution process. A risk assessment of SHGTS was conducted to evaluate vulnerabilities and establish a baseline of potential threats. This document will outline an ISMS plan for HBWC and provide recommendation of additional steps needed to implement and maintain this plan. Use of the ISO 27000 series certification process will provide a framework for the ISMS. The Plan-Do-Check-Act (PDCA) model provides a step-by-step process for planning, implementing, and management of the ISMS plan. The ISMS outline, network drawing, and additional recommended steps will be discussed below. A1. Business Objectives The first step of any ISMS is the identification of the business objects that need to be included in the planning and maintenance of an organization. Listed below are HBWC’s major objects to be considered when developing ISMS. ( Arnason, S, & Willett, K.D, 2008)      Staff:  Basic users, RAS users, Administrators, Executives, and Database Administrators roles, access...

Words: 1760 - Pages: 8

Premium Essay

Vulnerability Management Plan

...Student ID Number: 150777 Student Degree Program: Bachelor of Science Information Technology Security Student Email: douglasm@my.wgu.edu Four Digit Assessment/Project Code: CAPW4 Mentor Name: Martin Palma For Revisions Only Indicate Previous Grader: Submissions received with an altered, incomplete or missing cover sheet will be returned for resubmission. Submit to: Western Governors University Attn.: Assessment Delivery Department 4001 South 700 East, Suite 700 Salt Lake City, Utah 84107-2533 wgusubmittals@wgu.edu Capstone Project Cover Sheet Capstone Project Title: Vulnerability Management Plan Student Name: Mike Douglas Degree Program: Bachelor of Science Information Technology Security Mentor Name: Martin Palma Signature Block Student’s Signature Mentor’s Signature Table of Contents Capstone Report Summary (Introduction) 1 Review of Other Work 3 Rationale and Systems Analysis 8 Goals and Objectives 13 Project Timeline 22 Project Development 24 References 28 Appendix 1: Competency Matrix 29 Appendix 2: CVSS GUIDE 32 Appendix 3: DICES IV vulnerability management plan 33 Capstone Report Summary (Introduction) Digital Integrated Communications Electronic System version IV (DICES IV) is a critical piece of communications infrastructure relied on to ensure......

Words: 6924 - Pages: 28