650 likes | 848 Vues
Preparing a System Security Plan. Overview. Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification. What is a System Security Plan (SSP) ? The SSP is the user’s guide for operating your system.
E N D
Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification
What is a System Security Plan (SSP)? • The SSP is the user’s guide for operating your system. • The SSP contains specific procedures and processes. • Has two parts: Written instructions and a technical information. • The written instruction provides all the explanations and steps necessary for a non-technical user to operate the system. • The profile only list the technical information.
Pitfalls to avoid • Failure to submit a cover letter • Not providing detailed information • Use of generic phrases e.g. If feasible, When applicable, If possible, etc • Referring users to the profile for additional explanations
Pitfalls to avoid • Failure to submit all required documents • Completely re-writing a plan instead of only making suggested changes • Failure to verify information in SSP to the profile
Required Documents • Cover Letter • SSP • Profile • Certification • Network Security Plans or MOA/MOU for outside connections • Customer letters • Approved Variance letters
Cover Page • Revision Log
Cover Page Requirements • Facility Name and address • Cage Code • Type of Plan • Protection Level • Operating Environment • Outside Connections • Date and Revision number • Revision Log • Must be completed with each revision.
Introduction • Purpose • Identifies the purpose of the document • Identifies the purpose of the System • List of Attachments
Introduction • Scope • Identifies the range of operations • Protection Level • Classification Level • Confidentiality, Integrity, Availability • Type of system • Categories of Information and formal access requirements • Operating Environment • Alternate Site Processing
Personnel Responsibilities • Contractor Management • How is the security policy supported by Management • ISSM Responsibilities • May be listed exactly from the NISPOM • ISSO Responsibilities • May be listed exactly from the NISPOM or may be tailored to what you want this person to do. • If using the ISSO Delegation Record, compare duties.
Personnel Responsibilities • Users • Privileged Users • Other than the ISSM and ISSO. • What are these users allowed to do on your system. • General Users • What are these users allowed to do on your system
Certification and Accreditation • Certification • Explain your certification process • Accreditation • Explain the accreditation process • Reaccreditation • Explain when reaccreditation is required and the process
Certification and Accreditation • Certification of Similar Systems • Certification process • Define a similar system • Security Testing • Purpose • Describe the frequency • Self Inspections • Describe the frequency • Explain what will be inspected
System Identification and Requirements Specification This is the beginning of the technical information and procedures for your system. • Pure Servers (8-503) • Provides non interactive service (e.g. messaging service) • No user access • No user code
System Identification and Requirements Specification • Tactical, Embedded, Data Acquisition, and Special Purpose Systems (8-504) • No General users • No user code • Mobile Systems (8-308) • A system that is used for classified processing outside your facilities cage code. • May be at another Contractor or a Government site
Protection Measures • Accounts and Logons • Identification and Management • Are logons being used • Explain how you create unique user IDs • Explain how authenticators (passwords) are created and passed to the user
Protection Measures • Accounts and Logons • Requirements for Passwords • Identify password length • Password lifetime • Password complexity • Guidelines for User Generated Passwords • Explain the requirements users are to follow
Protection Measures • Accounts and Logons • Generic or Group Accounts • Are these accounts authorized • Explain the purpose • Explain the access procedures
Protection Measures • Session Controls • Logon Banner Requirements • Are you using the most current banner • How is the banner displayed • Action to remove the banner
Protection Measures • Session Controls • Successive Logon Attempt Controls • Are they controlled? • Define the number of unsuccessful logon attempts before the account is locked • Explain your procedures for unlocking an account • System Entry Conditions • Explain how a user accesses the system
Protection Measures • Access Controls • Explain what technical and physical controls are in place to protect the system. • BIOS Protection • Boot Sequence • Seals • Removable Hard drive protection
Protection Measures • Audit Requirements • Frequency of Audits • Audit Configuration and Settings • Audit Management Overflow • Manual Logs required to be audited • List procedures if a variance is approved
Protection Measures • System Recovery and Assurances • Explain how you are going to recover and certify your system in a controlled manner • Virus and Malicious Code Detection • Explain how you will detect malicious code • Explain procedures for updating antivirus definition files • Data Transmission Protection • Explain how data is transmitted
Protection Measures • Clearance and Sanitization • Clearing • Authorized • Method used • Sanitization • Authorized • Method used
Protection Measures • Protection Measure Variances • Identify any approved variances • Include a copy of the letter in the profile
Personnel Security • Personnel Access to IS • Identify specific requirements users must meet before accessing the system • Security Education • Initial Training Requirements • Explain your training requirements • Ongoing IS Security Education Programs • Describe your ongoing security education program
Physical Security • Operating Environment • You cannot identify multiple operating environments. • Briefly describe your environment
Maintenance • Facility Maintenance Policy • Describe how maintenance will be performed and by whom • Cleared Maintenance Personnel • Uncleared Maintenance Personnel • Explain procedures for using uncleared personnel
Media Controls • Classified Media • Define and provide examples • Protected Media • Define and provide examples • Unclassified or Lower Classified Media • Define and explain its use • Media Destruction • Explain how media is destroyed.
Output Procedures • Hardcopy Output Review • Define and provide procedures for review • Verify with hardware list to ensure you have a printer identified • Media Review and Trusted Downloading • Authorized • Method used • DSS Approved procedures • Non Approved procedures
Upgrade and Downgrade Procedures • These procedures are required if operating in a Restricted Area, MPF, when using removable hard drives, or when performing periods processing • Procedures are specific to each system • Upgrade/Startup Procedure • Compare to your Upgrade Log • Downgrade/Shutdown Procedure • Compare to your Downgrade Log • Periods Processing • Authorized
Marking • IS Hardware Components • List the documents that govern marking • Classified marking requirements • Markings for co-located systems
Marking • Media • Unclassified Media Markings • Classified Media Markings • Overall classification level • Applicable special markings e.g. NATO, • Unclassified Title • Creation date • Derived from • Declassify on
Configuration Management Plan and System Configuration • Configuration Management (CM) • The Configuration Management Program ensures that protection features are implemented and maintained on the system. This includes a formal change control process of all security relevant aspects of the system. • Specify who is responsible for authorizing security relevant changes • Explain how changes are documented • Explain how the CM process is evaluated and frequency
Configuration Management Plan and System Configuration • System Configuration • Hardware Description • Provide a generic description of your hardware e.g. Desktops, laptops, networked, non networked, etc. • List only the equipment that applies to your system • Hardware Requirements • Identify requirements that must be met prior to processing