Open Boat Text.pdf
Open boat.pdf
Do you need a similar assignment done for you from scratch? We have qualified writers to help you. We assure you an A+ quality paper that is free from plagiarism. Order now for an Amazing Discount!Use Discount Code “Newclient” for a 15% Discount!NB: We do not resell papers. Upon ordering, we do an original paper exclusively for you.
Actions for ‘Why is a separate System Security Plan required for each field office?’
Subscribe
Hide Description
Review the case study, project #3 description, and the weekly readings.
Prepare a one page briefing statement (3 to 5 paragraphs) for the company’s Corporate Board. This statement should answer the question: “Why is a separate System Security Plan (SSP) required for each field office?” (Or, put another way “Why doesn’t one size fits all work for SSP’s?”)
Do not assume that all members of the board are familiar with the purpose and contents of an SSP. Nor, will they be familiar with enterprise architectures and the details of the IT infrastructure for the field office.
Use the case study and provide specific information about “the company” in your briefing statement.
Provide in-text citations and references for 3 or more authoritative sources. Put the reference list at the end of your posting.PART ONE
The assigned case study and attachments to this assignment provide information about “the company.â€
Use the Baltimore field office as the target for the System Security Plan
Use Verizon FiOS as the Internet Services Provider (see http://www.verizonenterprise.com/terms/us/products/internet/sla/ )
A recent risk assessment highlighted the need to formalize the security measures required to protect information, information systems, and the information infrastructures for the companyâ€
s field offices. This requirement has been incorporated into the companyâ€s risk management plan and the companyâ€s CISO has been tasked with developing, documenting, and implementing the required security measures. The IT Governance board also has a role to play since it must review and approve all changes which affect IT systems under its purview.
The CISO has proposed a plan of action which includes developing system security plans using guidance from NIST SP-800-18 Guide for Developing Security Plans for Federal Information Systems. The IT Governance board, after reviewing the CISOâ€s proposed plan of action, voted and accepted this recommendation. In its discussions prior to the vote, the CISO explained why the best practices information for security plans from NIST SP 800-18 was suitable for the companyâ€s use. The board also accepted the CISOâ€s recommendation for creating a single System Security Plan for a General Support System since, in the CISOâ€s professional judgement, this type of plan would best meet the “formalization†requirement from the companyâ€s recently adopted risk management strategy.
As a staff member supporting the CISO, you have been asked to research and then draft the required system security plan for a General Support System. In your research so far, you have learned that:
A general support system is defined as “an interconnected set of information resources under the same direct management control that shares common functionality.†(See NIST SP 800-18)
The Field Office manager is the designated system owner for the IT support systems in his or her field office.
The system boundaries for the field office General Support System have already been documented in the companyâ€s enterprise architecture (see the case study).
The security controls required for the field office IT systems have been documented in a security controls baseline (see the controls baseline attached to this assignment).
s guidance for developing a System Security Plan for a general support IT System. This information is presented in NIST SP 800-18. http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf Pay special attention to the Sample Information System Security Plan template provided in Appendix A.s Internet connection Do not include the table. Use the business Internet Services Provider listed at the top of this assignment file. Describe the system interconnection type in this section and service level agreement.1. Information System Name/Title:
• Unique identifier and name given to the system. [use information from the case study]
2. Information System Categorization:
• Identify the appropriate system categorization [use the information from the case study].
3. Information System Owner:
• Name, title, agency, address, email address, and phone number of person who owns the system. [Use the field office manager]
4. Authorizing Official:
• Name, title, agency, address, email address, and phone number of the senior management official designated as the authorizing official. [Use the companyâ€s Chief Information Officer.]
5. Other Designated Contacts:
• List other key personnel, if applicable; include their title, address, email address, and phone number. [include the CISO, the ISSO, and other individuals from the case study, if appropriate]
6. Assignment of Security Responsibility:
• Name, title, address, email address, and phone number of person who is responsible for the security of the system. [use the case study information]
7. Information System Operational Status:
• Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status. [Use the case study information.]
8.0 Information System Type:
• Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in Section 9. General System Description/Purpose. [use the case study information]
9.0 General System Description/Purpose
• Describe the function or purpose of the system and the information processes. [use the case study information]
10. System Environment
• Provide a general description of the technical system. Include the primary hardware, software, and communications equipment.
[use the case study information and diagrams. Add brand names, equipment types as required (if not provided in the case study)]
11. System Interconnections/Information Sharing
• List interconnected systems and system identifiers (if appropriate), provide the system name, owning or providing organization, system type (major application or general support system) … add a fictional date of agreement to interconnect, and the name of the authorizing official.
12. Related Laws/Regulations/Policies
• List any laws or regulations that establish specific requirements for the confidentiality, integrity, or availability of the data in the system.
13. Minimum Security Controls
Use the security controls baseline as provided for this assignment. Include descriptive paragraphs for each section. Cut and paste the tables from the provided security controls baseline to add the individual security controls under each section. Use the sections and sub-sections as listed below.
13.1 Management Controls
[provide a descriptive paragraph]
13.1.1 [first control family]
[provide a descriptive paragraph]
13.1.2 [second control family]
…………
13.2 Operational Controls
[provide a descriptive paragraph]
13.2.1 [first control family]
13.2.2 [second control family]
…………..
13.3 Technical Controls
[provide a descriptive paragraph]
13.3.1 [ first control family]
13.3.2 [ second control family]
…………
Example:
14. Information System Security Plan Completion Date: _____________________
• Enter the completion date of the plan.
15. Information System Security Plan Approval Date: _______________________
• Enter the date the system security plan was approved and indicate if the approval documentation is attached or on file.
: IT Security Controls Baseline for Red Clay Renovations
Red Clay Renovations†IT Security policies, plans, and procedures shall use the following security control classes (management, operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6).
Security Controls Baseline
Red Clay Renovations Security Controls Baseline shall include the following controls.
|
AC-1 |
Access Control Policy and Procedures |
AC-1 |
|
AC-2 |
Account Management |
AC-2 (1) (2) (3) (4) |
|
AC-3 |
Access Enforcement |
AC-3 |
|
AC-4 |
Information Flow Enforcement |
AC-4 |
|
AC-5 |
Separation of Duties |
AC-5 |
|
AC-6 |
Least Privilege |
AC-6 (1) (2) (5) (9) (10) |
|
AC-7 |
Unsuccessful Logon Attempts |
AC-7 |
|
AC-8 |
System Use Notification |
AC-8 |
|
AC-11 |
Session Lock |
AC-11 (1) |
|
AC-12 |
Session Termination |
AC-12 |
|
AC-14 |
Permitted Actions without Identification or Authentication |
AC-14 |
|
AC-17 |
Remote Access |
AC-17 (1) (2) (3) (4) |
|
AC-18 |
Wireless Access |
AC-18 (1) |
|
AC-19 |
Access Control for Mobile Devices |
AC-19 (5) |
|
AC-20 |
Use of External Information Systems |
AC-20 (1) (2) |
|
AC-21 |
Information Sharing |
AC-21 |
|
AC-22 |
Publicly Accessible Content |
AC-22 |
|
AT-1 |
Security Awareness and Training Policy and Procedures |
AT-1 |
|
AT-2 |
Security Awareness Training |
AT-2 (2) |
|
AT-3 |
Role-Based Security Training |
AT-3 |
|
AT-4 |
Security Training Records |
AT-4 |
|
AU-1 |
Audit and Accountability Policy and Procedures |
AU-1 |
|
AU-2 |
Audit Events |
AU-2 (3) |
|
AU-3 |
Content of Audit Records |
AU-3 (1) |
|
AU-4 |
Audit Storage Capacity |
AU-4 |
|
AU-5 |
Response to Audit Processing Failures |
AU-5 |
|
AU-6 |
Audit Review, Analysis, and Reporting |
AU-6 (1) (3) |
|
AU-7 |
Audit Reduction and Report Generation |
AU-7 (1) |
|
AU-8 |
Time Stamps |
AU-8 (1) |
|
AU-9 |
Protection of Audit Information |
AU-9 (4) |
|
AU-10 |
Non-repudiation |
Not Selected |
|
AU-11 |
Audit Record Retention |
AU-11 |
|
AU-12 |
Audit Generation |
AU-12 |
|
CA-1 |
Security Assessment and Authorization Policies and Procedures |
CA-1 |
|
CA-2 |
Security Assessments |
CA-2 (1) |
|
CA-3 |
System Interconnections |
CA-3 (5) |
|
CA-5 |
Plan of Action and Milestones |
CA-5 |
|
CA-6 |
Security Authorization |
CA-6 |
|
CA-7 |
Continuous Monitoring |
CA-7 (1) |
|
CA-9 |
Internal System Connections |
CA-9 |
|
CM-1 |
Configuration Management Policy and Procedures |
CM-1 |
|
CM-2 |
Baseline Configuration |
CM-2 (1) (3) (7) |
|
CM-3 |
Configuration Change Control |
CM-3 (2) |
|
CM-4 |
Security Impact Analysis |
CM-4 |
|
CM-5 |
Access Restrictions for Change |
CM-5 |
|
CM-6 |
Configuration Settings |
CM-6 |
|
CM-7 |
Least Functionality |
CM-7 (1) (2) (4) |
|
CM-8 |
Information System Component Inventory |
CM-8 (1) (3) (5) |
|
CM-9 |
Configuration Management Plan |
CM-9 |
|
CM-10 |
Software Usage Restrictions |
CM-10 |
|
CM-11 |
User-Installed Software |
CM-11 |
|
CP-1 |
Contingency Planning Policy and Procedures |
CP-1 |
|
CP-2 |
Contingency Plan |
CP-2 (1) (3) (8) |
|
CP-3 |
Contingency Training |
CP-3 |
|
CP-4 |
Contingency Plan Testing |
CP-4 (1) |
|
CP-5 |
Withdrawn |
— |
|
CP-6 |
Alternate Storage Site |
CP-6 (1) (3) |
|
CP-7 |
Alternate Processing Site |
CP-7 (1) (2) (3) |
|
CP-8 |
Telecommunications Services |
CP-8 (1) (2) |
|
CP-9 |
Information System Backup |
CP-9 (1) |
|
CP-10 |
Information System Recovery and Reconstitution |
CP-10 (2) |
|
IA-1 |
Identification and Authentication Policy and Procedures |
IA-1 |
|
IA-2 |
Identification and Authentication (Organizational Users) |
IA-2 (1) (2) (3) (8) (11) (12) |
|
IA-3 |
Device Identification and Authentication |
IA-3 |
|
IA-4 |
Identifier Management |
IA-4 |
|
IA-5 |
Authenticator Management |
IA-5 (1) (2) (3) (11) |
|
IA-6 |
Authenticator Feedback |
IA-6 |
|
IA-7 |
Cryptographic Module Authentication |
IA-7 |
|
IA-8 |
Identification and Authentication (Non-Organizational Users) |
IA-8 (1) (2) (3) (4) |
|
IR-1 |
Incident Response Policy and Procedures |
IR-1 |
|
IR-2 |
Incident Response Training |
IR-2 |
|
IR-3 |
Incident Response Testing |
IR-3 (2) |
|
IR-4 |
Incident Handling |
IR-4 (1) |
|
IR-5 |
Incident Monitoring |
IR-5 |
|
IR-6 |
Incident Reporting |
IR-6 (1) |
|
IR-7 |
Incident Response Assistance |
IR-7 (1) |
|
IR-8 |
Incident Response Plan |
IR-8 |
|
MA-1 |
System Maintenance Policy and Procedures |
MA-1 |
|
MA-2 |
Controlled Maintenance |
MA-2 |
|
MA-3 |
Maintenance Tools |
MA-3 (1) (2) |
|
MA-4 |
Nonlocal Maintenance |
MA-4 (2) |
|
MA-5 |
Maintenance Personnel |
MA-5 |
|
MP-1 |
Media Protection Policy and Procedures |
MP-1 |
|
MP-2 |
Media Access |
MP-2 |
|
MP-3 |
Media Marking |
MP-3 |
|
MP-4 |
Media Storage |
MP-4 |
|
MP-5 |
Media Transport |
MP-5 (4) |
|
MP-6 |
Media Sanitization |
MP-6 |
|
MP-7 |
Media Use |
MP-7 (1) |
|
PE-1 |
Physical and Environmental Protection Policy and Procedures |
PE-1 |
|
PE-2 |
Physical Access Authorizations |
PE-2 |
|
PE-3 |
Physical Access Control |
PE-3 |
|
PE-4 |
Access Control for Transmission Medium |
PE-4 |
|
PE-5 |
Access Control for Output Devices |
PE-5 |
|
PE-6 |
Monitoring Physical Access |
PE-6 (1) |
|
PE-8 |
Visitor Access Records |
PE-8 |
|
PE-9 |
Power Equipment and Cabling |
PE-9 |
|
PE-10 |
Emergency Shutoff |
PE-10 |
|
PE-11 |
Emergency Power |
PE-11 |
|
PE-12 |
Emergency Lighting |
PE-12 |
|
PE-13 |
Fire Protection |
PE-13 (3) |
|
PE-14 |
Temperature and Humidity Controls |
PE-14 |
|
PE-15 |
Water Damage Protection |
PE-15 |
|
PE-16 |
Delivery and Removal |
PE-16 |
|
PE-17 |
Alternate Work Site |
PE-17 |
|
PL-1 |
Security Planning Policy and Procedures |
PL-1 |
|
PL-2 |
System Security Plan |
PL-2 (3) |
|
PL-4 |
Rules of Behavior |
PL-4 (1) |
|
PL-8 |
Information Security Architecture |
PL-8 |
|
PS-1 |
Personnel Security Policy and Procedures |
PS-1 |
|
PS-2 |
Position Risk Designation |
PS-2 |
|
PS-3 |
Personnel Screening |
PS-3 |
|
PS-4 |
Personnel Termination |
PS-4 |
|
PS-5 |
Personnel Transfer |
PS-5 |
|
PS-6 |
Access Agreements |
PS-6 |
|
PS-7 |
Third-Party Personnel Security |
PS-7 |
|
PS-8 |
Personnel Sanctions |
PS-8 |
|
RA-1 |
Risk Assessment Policy and Procedures |
RA-1 |
|
RA-2 |
Security Categorization |
RA-2 |
|
RA-3 |
Risk Assessment |
RA-3 |
|
RA-5 |
Vulnerability Scanning |
RA-5 (1) (2) (5) |
|
SA-1 |
System and Services Acquisition Policy and Procedures |
SA-1 |
|
SA-2 |
Allocation of Resources |
SA-2 |
|
SA-3 |
System Development Life Cycle |
SA-3 </t
Do you need a similar assignment done for you from scratch? We have qualified writers to help you. We assure you an A+ quality paper that is free from plagiarism. Order now for an Amazing Discount! |
