Utilizing the attached Project Requirements, Template and Security Baseline Document. I need a minimum 6 pages to meet the requirements of the rubric below. System Security PlanExcellentOutstandingAcceptableNeeds ImprovementNeeds Significant ImprovementMissing or UnacceptableSections 1 – 8 (System Identification)10 pointsSections 1 – 8 present a thorough and complete identification of the system (Field Office General IT Support), the responsible individuals, and the system status. Key personnel (Section 5) roster contains three or more appropriate designated officials.8.5 pointsSections 1 – 8 identify the system (Field Office General IT Support), the responsible individuals, and the system status. Information was adapted from the Case Study. Key personnel (Section 5) roster contains at least two appropriate designated officials.7 pointsSections 1 – 8 were completed using information from the Case Study. Key personnel (Section 5) roster contains at least one appropriate designated official.6 pointsEntered information for 6 or more sections. Information was incomplete or incorrect.4 pointsCompleted less than 50% of the required information for sections 1-8. (Or, inappropriate or excessive copying from other authors’ work.)0 pointsInsufficient, missing, or no work submitted.Section 9: System Description / Purpose10 pointsProvided an excellent description of the Field Office General IT Support System. Integrated case study information to describe the business operations supported by the hardware, software, and networks which comprise the “General IT Support” system. Included information about the types and sensitivity of information processed by this system. Described the “smart home” and “Internet of Things” capabilities which are supported by the field office IT systems.8.5 pointsProvided an outstanding description of the Field Office General IT Support System. Integrated case study information to describe the business operations including mention of the types and sensitivity of information processed by this system. Mentioned the “smart home” and “Internet of Things” capabilities which are supported by the field office IT systems.7 pointsProvided an acceptable description of the Field Office General IT Support System. Integrated case study information to describe the business operations, mentioned the types of information processed, and the “smart home” / “Internet of Things” capabilities incorporated into the field offices.6 pointsDescribed the field office business operations supported by the Field Office General IT Support System. The description lacked details.4 pointsAttempted to describe a General IT Support System. Did not integrate information from the case study. (Or, inappropriate or excessive copying from other authors’ work.)0 pointsInsufficient, missing, or no work submitted.Section 10: System Environment10 pointsProvided an excellent description of the enterprise architecture for the Field Office General IT Support System. Integrated case study information to clearly and accurately describe the hardware, software, and networks which comprise the “General IT Support” system. Included information about the devices and controllers used for the “smart home” and “Internet of Things” capabilities which are used by the field office.8.5 pointsProvided an outstanding description of the enterprise architecture for the Field Office General IT Support System. Integrated case study information to describe the hardware, software, and networks which comprise the “General IT Support” system. Included information about the devices and controllers used for the “smart home” and “Internet of Things” capabilities which are used by the field office.7 pointsProvided an acceptable description of the Field Office General IT Support System. Integrated case study information to describe the business operations, mentioned the types of information processed, and the “smart home” / “Internet of Things” capabilities incorporated into the field offices.6 pointsDescribed the field office business operations supported by the Field Office General IT Support System. The description lacked details.4 pointsAttempted to describe a General IT Support System. Did not integrate information from the case study. (Or, inappropriate or excessive copying from other authors’ work.)0 pointsInsufficient, missing, or no work submitted.Section 11: System Interconnections / Information Sharing10 pointsUsed information from the case study to identify (name) 5 or more interconnected systems and networks (including the LAN/WAN network connections between the field office and the operations center). Provided an excellent description for each that included the types and sensitivity levels of information transmitted over the connection (e.g. company proprietary information, customer information, public Internet information). Named the “owning” organization and responsible ISSO.8.5 pointsUsed information from the case study to identify (name) 4 or more interconnected systems and networks (including the LAN/WAN network connections between the field office and the operations center). Provided an outstanding description for each that included the types and sensitivity levels of information transmitted over the connection (e.g. company proprietary information, customer information, public Internet information). Named the “owning” organization and responsible ISSO.7 pointsUsed information from the case study to identify (name) 3 or more interconnected systems and networks (including the LAN/WAN network connections between the field office and the operations center). Provided an acceptable description for each. Named the “owning” organization.6 pointsSection identified interconnected systems including the LAN / WAN network connections. Provided some information about the systems and networks.4 pointsSection named LAN / WAN network connections but provided no other information. (Or, inappropriate or excessive copying from other authors’ work.)0 pointsInsufficient, missing, or no work submitted.Section 12: Related Laws / Regulations / Policies10 pointsProvided an excellent overview of laws, regulations, and policies which establish specific requirements for the confidentiality, integrity, and availability of the data collected, processed, and/or stored in the Field Office General IT Support System. Named and described the applicability of 5 or more federal or state laws and regulations. Identified and described at least one internal policy which applies to the use of this system.8.5 pointsProvided an outstanding overview of laws, regulations, and policies which establish specific requirements for the confidentiality, integrity, and availability of the data collected, processed, and/or stored in the Field Office General IT Support System. Named and described the applicability of 4 or more federal or state laws and regulations. Identified and described at least one internal policy which applies to the use of this system.7 pointsProvided an acceptable list of laws, regulations, and policies which establish specific requirements for the confidentiality, integrity, and availability of the data collected, processed, and/or stored in the Field Office General IT Support System. Named and described the applicability of 3 or more federal or state laws and regulations. Identified and described at least one internal policy which applies to the use of this system.6 pointsNamed and described at least three legal (laws), regulatory (regulations or “rules”), and/or policy sources for security requirements which apply to the Field Office IT General Support System.4 pointsNamed at least two laws, regulations, and/or policies as sources of security requirements for the Field Office IT General Support System. (Or, inappropriate or excessive copying from other authors’ work.)0 pointsInsufficient, missing, or no work submitted.Section 13: Introduction for Minimum Security Controls5 pointsProvided an excellent introduction for Section 13: Minimum Security Controls. Discussed the differences between management, operational, and technical categories of security controls. Used information from the case study and NIST SP 800-53.4 pointsProvided an outstanding introduction for Section 13: Minimum security controls. Discussed the use of management, operational, and technical categories of security controls. Used information from the case study and NIST SP 800-53.3 pointsProvided an acceptable introduction for Section 13: Minimum Security Controls. Mentioned the three categories (management, operational, technical). Used information from the case study and NIST SP 800-53.2 pointsProvided an introduction for Section 13: Minimum Security Controls. Introduction used information from the case study but lacked important details.1 pointProvided an introduction for section 13. Did not customize the introduction for the case study. (Or, inappropriate or excessive copying from other authors’ work.)0 pointsInsufficient, missing, or no work submitted.Section 13 (a) Minimum Security Controls: Management Controls Category10 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. CA) listed under the “management controls” category (in the baseline) using information from NIST SP 800-53. For each “family” listed in the baseline under this category, identified (listed) the specific controls (e.g. CA-1) and provided a excellent description of how the controls in each family work together to mitigate threats and vulnerabilities.8.5 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. CA) listed under the “management controls” category (in the baseline) using information from NIST SP 800-53. For each “family” listed in the baseline under this category, identified (listed) the specific controls (e.g. CA-1) and provided an outstanding description of how the controls in each family work together to mitigate threats and vulnerabilities.7 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. CA) listed under the “management controls” category (in the baseline) using information from NIST SP 800-53. Provided a brief description of how the controls in each family work together to mitigate threats and vulnerabilities.6 pointsListed and described three or more management controls (from NIST SP 800-53) which should be implemented for the Field Office IT General Support System.4 pointsListed and described one or more management controls (from NIST SP 800-53) which should be implemented for the Field Office IT General Support System.0 pointsInsufficient, missing, or no work submitted.Section 13 (b) Minimum Security Controls: Operational Controls Category10 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. AT) listed under the “operational controls” category (in the baseline) using information from NIST SP 800-53. For each “family” listed in the baseline under this category, identified (listed) the specific controls (e.g. AT-1) and provided a excellent description of how the controls in each family work together to mitigate threats and vulnerabilities.8.5 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. AT) listed under the “operational controls” category (in the baseline) using information from NIST SP 800-53. For each “family” listed in the baseline under this category, identified (listed) the specific controls (e.g. AT-1) and provided an outstanding description of how the controls in each family work together to mitigate threats and vulnerabilities.7 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. AT) listed under the “operational controls” category (in the baseline) using information from NIST SP 800-53. Provided a brief description of how the controls in each family work together to mitigate threats and vulnerabilities.6 pointsListed and described three or more operational controls (from NIST SP 800-53) which should be implemented for the Field Office IT General Support System.4 pointsListed and described one or more operational controls (from NIST SP 800-53) which should be implemented for the Field Office IT General Support System. (Or, inappropriate or excessive copying from other authors’ work.)0 pointsInsufficient, missing, or no work submitted.Section 13 (c) Minimum Security Controls: Technical Controls Category10 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. AC) listed under the “technical controls” category (in the baseline) using information from NIST SP 800-53. For each “family” listed in the baseline under this category, identified (listed) the specific controls (e.g. AC-1) and provided a excellent description of how the controls in each family work together to mitigate threats and vulnerabilities.8.5 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. AC) listed under the “technical controls” category (in the baseline) using information from NIST SP 800-53. For each “family” listed in the baseline under this category, identified (listed) the specific controls (e.g. AC-1) and provided an outstanding description of how the controls in each family work together to mitigate threats and vulnerabilities.7 pointsUsed the provided security controls baseline for the case study company. Named and described each of the required control families (e.g. AC) listed under the “technical controls” category (in the baseline) using information from NIST SP 800-53. Provided a brief description of how the controls in each family work together to mitigate threats and vulnerabilities.6 pointsListed and described three or more technical controls (from NIST SP 800-53) which should be implemented for the Field Office IT General Support System.4 pointsListed and described one or more technical controls (from NIST SP 800-53) which should be implemented for the Field Office IT General Support System. (Or, inappropriate or excessive copying from other authors’ work.)0 pointsInsufficient, missing, or no work submitted.Sections 14-15: Completion & Approval Dates5 pointsIncluded both sections from the template file (14 & 15) and entered the completion date for the plan.3 pointsIncluded section 14 from the template file and entered a completion date for the plan.0 pointsN/A0 pointsN/A0 pointsN/A0 pointsInsufficient, missing, or no work submitted.ProfessionalismExcellentOutstandingAcceptableNeeds ImprovementNeeds Significant ImprovementMissing or UnacceptableExecution10 pointsWork is professional in appearance and organization (appropriate and consistent use of fonts, headings, color). No word usage, grammar, spelling, or punctuation errors. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)8.5 pointsWork is professional in appearance and organization (appropriate and consistent use of fonts, headings, color). Work contains minor errors in word usage,grammar, spelling or punctuation which do not significantly impact professional appearance. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)7 pointsWork is professional in appearance and organization (minor issues allowable but overall the work contains appropriate and consistent use of fonts, headings, color). Errors in word usage, spelling, grammar, or punctuation which detract from professional appearance of the submitted work. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)6 pointsSubmitted work has numerous errors in formatting, organization, word usage, spelling, grammar, or punctuation which detract from readability and professional appearance. Punctuation errors may include failure to properly mark quoted or copied material (an attempt to name original source is required).4 pointsSubmitted work is difficult to read / understand and has significant errors in formatting, appearance / organization, spelling, grammar, punctuation, or word usage. Significant errors in presentation of copied text (lacks proper punctuation and failed to attribute material to original source).0 pointsNo work submitted. OR, work contains significant instances of cut-and-paste without proper citing / attribution to the original work or author.Overall ScoreExcellent90 or moreOutstanding80 or moreAcceptable70 or moreNeeds Improvement56 or moreNeeds Significant Improvement36 or moreMissing or Unacceptable Work0 or more
project__3_information_system_security_plan_template.docx

project__3_red_clay_renovations_it_security_controls_baseline.docx

project__3_system_security_plan.docx

Unformatted Attachment Preview

Information System Security Plan
1. Information System Name/Title:
• Unique identifier and name given to the system. [use information from the case study]
2. Information System Categorization:
• Identify the appropriate system categorization [use the information from the case study].
3. Information System Owner:
• Name, title, agency, address, email address, and phone number of person who owns the system.
[Use the field office manager]
4. Authorizing Official:
• Name, title, agency, address, email address, and phone number of the senior management
official designated as the authorizing official. [Use the company’s Chief Information
Officer.]
5. Other Designated Contacts:
• List other key personnel, if applicable; include their title, address, email address, and phone
number. [include the CISO, the ISSO, and other individuals from the case study, if
appropriate]
6. Assignment of Security Responsibility:
• Name, title, address, email address, and phone number of person who is responsible for the
security of the system. [use the case study information]
7. Information System Operational Status:
• Indicate the operational status of the system. If more than one status is selected, list which part
of the system is covered under each status. [Use the case study information.]
8.0 Information System Type:
• Indicate if the system is a major application or a general support system. If the system contains
minor applications, list them in Section 9. General System Description/Purpose. [use the case
study information]
9.0 General System Description/Purpose
• Describe the function or purpose of the system and the information processes. [use the case
study information]
10. System Environment
• Provide a general description of the technical system. Include the primary hardware, software,
and communications equipment.
[use the case study information and diagrams. Add brand names, equipment types as required (if
not provided in the case study)]
11. System Interconnections/Information Sharing
1
Information System Security Plan
• List interconnected systems and system identifiers (if appropriate), provide the system name,
owning or providing organization, system type (major application or general support system)
… add a fictional date of agreement to interconnect, and the name of the authorizing official.
12. Related Laws/Regulations/Policies
• List any laws or regulations that establish specific requirements for the confidentiality,
integrity, or availability of the data in the system.
13. Minimum Security Controls
Use the security controls baseline as provided for this assignment. Include descriptive paragraphs for
each section. Cut and paste the tables from the provided security controls baseline to add the
individual security controls under each section. Use the sections and sub-sections as listed below.
13.1 Management Controls
[provide a descriptive paragraph]
13.1.1 [first control family]
[provide a descriptive paragraph]
13.1.2 [second control family]
…………
13.2 Operational Controls
[provide a descriptive paragraph]
13.2.1 [first control family]
13.2.2 [second control family]
…………..
13.3 Technical Controls
[provide a descriptive paragraph]
13.3.1 [ first control family]
13.3.2 [ second control family]
…………
Example:
2
Information System Security Plan
14. Information System Security Plan Completion Date: _____________________
• Enter the completion date of the plan.
15. Information System Security Plan Approval Date: _______________________
• Enter the date the system security plan was approved and indicate if the approval
documentation is attached or on file.
3
Project #3: IT Security Controls Baseline for Red Clay Renovations
Red Clay Renovations’ IT Security policies, plans, and procedures shall use the following security control
classes (management, operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6).
Security Controls Baseline
Red Clay Renovations Security Controls Baseline shall include the following controls.
1. AC: Access Controls (Technical Controls Category)
AC-1
AC-2
AC-3
AC-4
AC-5
AC-6
AC-7
AC-8
AC-11
AC-12
AC-14
AC-17
AC-18
AC-19
AC-20
AC-21
AC-22
Access Control Policy and Procedures
Account Management
Access Enforcement
Information Flow Enforcement
Separation of Duties
Least Privilege
Unsuccessful Logon Attempts
System Use Notification
Session Lock
Session Termination
Permitted Actions without Identification or Authentication
Remote Access
Wireless Access
Access Control for Mobile Devices
Use of External Information Systems
Information Sharing
Publicly Accessible Content
AC-1
AC-2 (1) (2) (3) (4)
AC-3
AC-4
AC-5
AC-6 (1) (2) (5) (9) (10)
AC-7
AC-8
AC-11 (1)
AC-12
AC-14
AC-17 (1) (2) (3) (4)
AC-18 (1)
AC-19 (5)
AC-20 (1) (2)
AC-21
AC-22
2. AT: Awareness and Training (Operational Controls Category)
AT-1
AT-2
AT-3
AT-4
Security Awareness and Training Policy and Procedures
Security Awareness Training
Role-Based Security Training
Security Training Records
AT-1
AT-2 (2)
AT-3
AT-4
3. AU: Audit and Accountability (Technical Controls Category)
AU-1
AU-2
AU-3
AU-4
AU-5
AU-6
AU-7
AU-8
AU-9
AU-10
AU-11
AU-12
Audit and Accountability Policy and Procedures
Audit Events
Content of Audit Records
Audit Storage Capacity
Response to Audit Processing Failures
Audit Review, Analysis, and Reporting
Audit Reduction and Report Generation
Time Stamps
Protection of Audit Information
Non-repudiation
Audit Record Retention
Audit Generation
AU-1
AU-2 (3)
AU-3 (1)
AU-4
AU-5
AU-6 (1) (3)
AU-7 (1)
AU-8 (1)
AU-9 (4)
Not Selected
AU-11
AU-12
4. CA: Security Assessment and Authorization (Management Controls Category)
CA-1
CA-2
CA-3
CA-5
CA-6
CA-7
CA-9
Security Assessment and Authorization Policies and
Procedures
Security Assessments
System Interconnections
Plan of Action and Milestones
Security Authorization
Continuous Monitoring
Internal System Connections
CA-1
CA-2 (1)
CA-3 (5)
CA-5
CA-6
CA-7 (1)
CA-9
5. CM: Configuration Management (Operational Controls Category)
CM-1
CM-2
CM-3
CM-4
CM-5
CM-6
CM-7
CM-8
CM-9
CM-10
CM-11
Configuration Management Policy and Procedures
Baseline Configuration
Configuration Change Control
Security Impact Analysis
Access Restrictions for Change
Configuration Settings
Least Functionality
Information System Component Inventory
Configuration Management Plan
Software Usage Restrictions
User-Installed Software
CM-1
CM-2 (1) (3) (7)
CM-3 (2)
CM-4
CM-5
CM-6
CM-7 (1) (2) (4)
CM-8 (1) (3) (5)
CM-9
CM-10
CM-11
6. Contingency Planning (Operational Controls Category)
CP-1
CP-2
CP-3
CP-4
CP-5
CP-6
CP-7
CP-8
CP-9
CP-10
Contingency Planning Policy and Procedures
Contingency Plan
Contingency Training
Contingency Plan Testing
Withdrawn
Alternate Storage Site
Alternate Processing Site
Telecommunications Services
Information System Backup
Information System Recovery and Reconstitution
CP-1
CP-2 (1) (3) (8)
CP-3
CP-4 (1)
–CP-6 (1) (3)
CP-7 (1) (2) (3)
CP-8 (1) (2)
CP-9 (1)
CP-10 (2)
7. IA: Identification and Authentication (Technical Controls Category)
IA-1
IA-2
Identification and Authentication Policy and Procedures
Identification and Authentication (Organizational Users)
IA-1
IA-2 (1) (2) (3) (8) (11) (12)
IA-3
IA-4
IA-5
IA-6
IA-7
IA-8
Device Identification and Authentication
Identifier Management
Authenticator Management
Authenticator Feedback
Cryptographic Module Authentication
Identification and Authentication (Non-Organizational
Users)
IA-3
IA-4
IA-5 (1) (2) (3) (11)
IA-6
IA-7
IA-8 (1) (2) (3) (4)
8. IR: Incident Response (Operational Controls Category)
IR-1
IR-2
IR-3
IR-4
IR-5
IR-6
IR-7
IR-8
Incident Response Policy and Procedures
Incident Response Training
Incident Response Testing
Incident Handling
Incident Monitoring
Incident Reporting
Incident Response Assistance
Incident Response Plan
IR-1
IR-2
IR-3 (2)
IR-4 (1)
IR-5
IR-6 (1)
IR-7 (1)
IR-8
9. MA: Maintenance (Operational Controls Category)
MA-1
MA-2
MA-3
MA-4
MA-5
System Maintenance Policy and Procedures
Controlled Maintenance
Maintenance Tools
Nonlocal Maintenance
Maintenance Personnel
MA-1
MA-2
MA-3 (1) (2)
MA-4 (2)
MA-5
10. MP: Media Protection (Operational Controls Category)
MP-1
MP-2
MP-3
MP-4
MP-5
MP-6
MP-7
Media Protection Policy and Procedures
Media Access
Media Marking
Media Storage
Media Transport
Media Sanitization
Media Use
MP-1
MP-2
MP-3
MP-4
MP-5 (4)
MP-6
MP-7 (1)
11. PE: Physical and Environmental Protection (Operational Controls Category)
PE-1
PE-2
PE-3
PE-4
PE-5
PE-6
PE-8
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14
PE-15
PE-16
PE-17
Physical and Environmental Protection Policy and
Procedures
Physical Access Authorizations
Physical Access Control
Access Control for Transmission Medium
Access Control for Output Devices
Monitoring Physical Access
Visitor Access Records
Power Equipment and Cabling
Emergency Shutoff
Emergency Power
Emergency Lighting
Fire Protection
Temperature and Humidity Controls
Water Damage Protection
Delivery and Removal
Alternate Work Site
PE-1
PE-2
PE-3
PE-4
PE-5
PE-6 (1)
PE-8
PE-9
PE-10
PE-11
PE-12
PE-13 (3)
PE-14
PE-15
PE-16
PE-17
12. PL: Planning (Management Controls Category)
PL-1
PL-2
PL-4
PL-8
Security Planning Policy and Procedures
System Security Plan
Rules of Behavior
Information Security Architecture
PL-1
PL-2 (3)
PL-4 (1)
PL-8
13. PS: Personnel Security (Operational Controls Category)
PS-1
PS-2
PS-3
PS-4
PS-5
PS-6
PS-7
PS-8
Personnel Security Policy and Procedures
Position Risk Designation
Personnel Screening
Personnel Termination
Personnel Transfer
Access Agreements
Third-Party Personnel Security
Personnel Sanctions
PS-1
PS-2
PS-3
PS-4
PS-5
PS-6
PS-7
PS-8
14. RA: Risk Assessment (Management Controls Category)
RA-1
RA-2
RA-3
RA-5
Risk Assessment Policy and Procedures
Security Categorization
Risk Assessment
Vulnerability Scanning
RA-1
RA-2
RA-3
RA-5 (1) (2) (5)
15. SA: System and Services Acquisition (Management Controls Category)
SA-1
SA-2
SA-3
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
System and Services Acquisition Policy and Procedures
Allocation of Resources
System Development Life Cycle
Acquisition Process
Information System Documentation
Security Engineering Principles
External Information System Services
Developer Configuration Management
Developer Security Testing and Evaluation
SA-1
SA-2
SA-3
SA-4 (1) (2) (9) (10)
SA-5
SA-8
SA-9 (2)
SA-10
SA-11
16. SC: System and Communications Protection (Technical Controls Category)
SA-1
SA-2
SA-3
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
SC-28
SC-39
System and Services Acquisition Policy and Procedures
Allocation of Resources
System Development Life Cycle
Acquisition Process
Information System Documentation
Security Engineering Principles
External Information System Services
Developer Configuration Management
Developer Security Testing and Evaluation
Protection of Information at Rest
Process Isolation
SA-1
SA-2
SA-3
SA-4 (1) (2) (9) (10)
SA-5
SA-8
SA-9 (2)
SA-10
SA-11
SC-28
SC-39
17. SI: System and Information Integrity (Operational Controls Category)
SI-1
SI-2
SI-3
SI-4
SI-5
SI-7
SI-8
SI-10
SI-11
SI-12
SI-16
System and Information Integrity Policy and Procedures
Flaw Remediation
Malicious Code Protection
Information System Monitoring
Security Alerts, Advisories, and Directives
Software, Firmware, and Information Integrity
Spam Protection
Information Input Validation
Error Handling
Information Handling and Retention
Memory Protection
SI-1
SI-2 (2)
SI-3 (1) (2)
SI-4 (2) (4) (5)
SI-5
SI-7 (1) (7)
SI-8 (1) (2)
SI-10
SI-11
SI-12
SI-16
18. PM: Program Management (Management Controls Family)
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
PM-12
PM-13
PM-14
PM-15
PM-16
Information Security Program Plan
Senior Information Security Officer
Information Security Resources
Plan of Action and Milestones Process
Information System Inventory
Information Security Measures of Performance
Enterprise Architecture
Critical Infrastructure Plan
Risk Management Strategy
Security Authorization Process
Mission/Business Process Definition
Insider Threat Program
Information Security Workforce
Testing, Training, and Monitoring
Contacts with Security Groups and Associations
Threat Awareness Program
all
all
all
all
all
all
all
all
all
all
all
all
all
all
all
all
CSIA 413: Cybersecurity Policy, Plans, and Programs
Project #3: System Security Plan
Company Background & Operating Environment
The assigned case study and attachments to this assignment provide information about “the
company.”
• Use the Baltimore field office as the target for the System Security Plan
• Use Verizon FiOS as the Internet Services Provider (see
http://www.verizonenterprise.com/terms/us/products/internet/sla/ )
Policy Issue & Plan of Action
A recent risk assessment highlighted the need to formalize the security measures required to
protect information, information systems, and the information infrastructures for the company’s field
offices. This requirement has been incorporated into the company’s risk management plan and the
company’s CISO has been tasked with developing, documenting, and implementing the required security
measures. The IT Governance board also has a role to play since it must review and approve all changes
which affect IT systems under its purview.
The CISO has proposed a plan of action which includes developing system security plans using
guidance from NIST SP-800-18 Guide for Developing Security Plans for Federal Information Systems. The
IT Governance board, after reviewing the CISO’s proposed plan of action, voted and accepted this
recommendation. In its discussions prior to the vote, the CISO explained why the best practices
information for security plans from NIST SP 800-18 was suitable for the company’s use. The board also
accepted the CISO’s recommendation for creating a single System Security Plan for a General Support
System since, in the CISO’s professional judgement, this type of plan would best meet the
“formalization” requirement from the company’s recently adopted risk management strategy.
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research and then draft the
required system security plan for a General Support System. In your research so far, you have learned
that:
• A general support system is defined as “an interconnected set of information resources
under the same direct management control that shares common functionality.” (See
NIST SP 800-18)
• The Field Office manager is the designated system owner for the IT support systems in
his or her field office.
• The system boundaries for the field office General Support System have already been
documented in the company’s enterprise architecture (see the case study).
• The security controls required for the field office IT systems have been documented in a
security controls baseline (see the controls baseline attached to this assignment).
Copyright ©2016 by University of Maryland University College. All Rights Reserved
CSIA 413: Cybersecurity Policy, Plans, and Programs
Research:
1. Review the information provided in the case study and in this assignment, especially the
information about the field offices and the IT systems and networks used in their day to day
business affairs.
2. Review NIST’s guidance for developing a System Security Plan for a general support IT System.
This information is presented in NIST SP 800-18. http://csrc.nist.gov/publications/nistpubs/80018-Rev1/sp800-18-Rev1-final.pdf Pay special attention to the Sample Information Syst