Transcript Slide 1
Preparing a System Security Plan 1 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification 2 What is a System Security Plan (SSP)? • The SSP is the user’s guide for operating your system. • The SSP contains specific procedures and processes. • Has two parts: Written instructions and a technical information. • The written instruction provides all the explanations and steps necessary for a non-technical user to operate the system. • The profile only list the technical information. 3 Pitfalls to avoid • Failure to submit a cover letter • Not providing detailed information • Use of generic phrases e.g. If feasible, When applicable, If possible, etc • Referring users to the profile for additional explanations 4 Pitfalls to avoid • Failure to submit all required documents • Completely re-writing a plan instead of only making suggested changes • Failure to verify information in SSP to the profile 5 Required Documents • Cover Letter • SSP • Profile • Certification • Network Security Plans or MOA/MOU for outside connections • Customer letters • Approved Variance letters 6 Preparing the Security Plan 7 • Cover Page • Revision Log 8 Cover Page Requirements • Facility Name and address • Cage Code • Type of Plan • Protection Level • Operating Environment • Outside Connections • Date and Revision number Revision Log • Must be completed with each revision. 9 1. Introduction 10 Introduction • Purpose • Identifies the purpose of the document • Identifies the purpose of the System • List of Attachments 11 Introduction •Scope • Identifies the range of operations • Protection Level • Classification Level • Confidentiality, Integrity, Availability • Type of system • Categories of Information and formal access requirements • Operating Environment • Alternate Site Processing 12 2. Personnel Management 13 Personnel Responsibilities • Contractor Management • How is the security policy supported by Management • ISSM Responsibilities • May be listed exactly from the NISPOM • ISSO Responsibilities • May be listed exactly from the NISPOM or may be tailored to what you want this person to do. • If using the ISSO Delegation Record, compare duties. 14 Personnel Responsibilities • Users • Privileged Users • Other than the ISSM and ISSO. • What are these users allowed to do on your system. • General Users • What are these users allowed to do on your system 15 3. Certification and Accreditation 16 Certification and Accreditation • Certification • Explain your certification process • Accreditation • Explain the accreditation process • Reaccreditation • Explain when reaccreditation is required and the process 17 Certification and Accreditation • Certification of Similar Systems • Certification process • Define a similar system •Security Testing • Purpose • Describe the frequency • Self Inspections • Describe the frequency • Explain what will be inspected 18 4. System Identification and Requirements (SIRS) 19 System Identification and Requirements Specification This is the beginning of the technical information and procedures for your system. • Pure Servers (8-503) • Provides non interactive service (e.g. messaging service) • No user access • No user code 20 System Identification and Requirements Specification • Tactical, Embedded, Data Acquisition, and Special Purpose Systems (8-504) • No General users • No user code • Mobile Systems (8-308) • A system that is used for classified processing outside your facilities cage code. • May be at another Contractor or a Government site 21 5. Protection Measures 22 Protection Measures • Accounts and Logons • Identification and Management • Are logons being used • Explain how you create unique user IDs • Explain how authenticators (passwords) are created and passed to the user 23 Protection Measures • Accounts and Logons • Requirements for Passwords • Identify password length • Password lifetime • Password complexity • Guidelines for User Generated Passwords • Explain the requirements users are to follow 24 Protection Measures • Accounts and Logons • Generic or Group Accounts • Are these accounts authorized • Explain the purpose • Explain the access procedures 25 Protection Measures • Session Controls • Logon Banner Requirements • Are you using the most current banner • How is the banner displayed • Action to remove the banner 26 Protection Measures • Session Controls • Successive Logon Attempt Controls • Are they controlled? •Define the number of unsuccessful logon attempts before the account is locked • Explain your procedures for unlocking an account • System Entry Conditions • Explain how a user accesses the system 27 Protection Measures • Access Controls • Explain what technical and physical controls are in place to protect the system. • BIOS Protection • Boot Sequence • Seals • Removable Hard drive protection 28 Protection Measures • Audit Requirements • Frequency of Audits • Audit Configuration and Settings • Audit Management Overflow • Manual Logs required to be audited • List procedures if a variance is approved 29 Protection Measures • System Recovery and Assurances • Explain how you are going to recover and certify your system in a controlled manner • Virus and Malicious Code Detection • Explain how you will detect malicious code • Explain procedures for updating antivirus definition files • Data Transmission Protection • Explain how data is transmitted 30 Protection Measures • Clearance and Sanitization • Clearing • Authorized • Method used • Sanitization • Authorized • Method used 31 Protection Measures • Protection Measure Variances • Identify any approved variances • Include a copy of the letter in the profile 32 6. Personnel Security 33 Personnel Security • Personnel Access to IS • Identify specific requirements users must meet before accessing the system • Security Education • Initial Training Requirements • Explain your training requirements • Ongoing IS Security Education Programs • Describe your ongoing security education program 34 7. Physical Security 35 Physical Security • Operating Environment • You cannot identify multiple operating environments. • Briefly describe your environment 36 8. Maintenance 37 Maintenance • Facility Maintenance Policy • Describe how maintenance will be performed and by whom • Cleared Maintenance Personnel • Uncleared Maintenance Personnel • Explain procedures for using uncleared personnel 38 9. Media Controls 39 Media Controls • Classified Media • Define and provide examples • Protected Media • Define and provide examples • Unclassified or Lower Classified Media • Define and explain its use • Media Destruction • Explain how media is destroyed. 40 10. Output Procedures 41 Output Procedures • Hardcopy Output Review • Define and provide procedures for review • Verify with hardware list to ensure you have a printer identified • Media Review and Trusted Downloading • Authorized • Method used • DSS Approved procedures • Non Approved procedures 42 11. Upgrade and Downgrade Procedures 43 Upgrade and Downgrade Procedures • These procedures are required if operating in a Restricted Area, MPF, when using removable hard drives, or when performing periods processing • Procedures are specific to each system • Upgrade/Startup Procedure • Compare to your Upgrade Log • Downgrade/Shutdown Procedure • Compare to your Downgrade Log • Periods Processing • Authorized 44 12. Markings 45 Marking • IS Hardware Components • List the documents that govern marking • Classified marking requirements • Markings for co-located systems 46 Marking • Media • Unclassified Media Markings • Classified Media Markings • Overall classification level • Applicable special markings e.g. NATO, • Unclassified Title • Creation date • Derived from • Declassify on 47 13. Configuration Management Plan and System Configuration 48 Configuration Management Plan and System Configuration • Configuration Management (CM) • The Configuration Management Program ensures that protection features are implemented and maintained on the system. This includes a formal change control process of all security relevant aspects of the system. • Specify who is responsible for authorizing security relevant changes • Explain how changes are documented • Explain how the CM process is evaluated and frequency 49 Configuration Management Plan and System Configuration • System Configuration • Hardware Description • Provide a generic description of your hardware e.g. Desktops, laptops, networked, non networked, etc. • List only the equipment that applies to your system • Hardware Requirements • Identify requirements that must be met prior to processing 50 Configuration Management Plan and System Configuration Change Control Procedures for Hardware • Addition of Hardware • List procedures to be followed when adding hardware • Removal of Hardware • List procedures to be followed when adding software • Reconfiguration of Hardware • List procedures to be followed when reconfiguring hardware • Who is authorized to reconfigure the system 51 Configuration Management Plan and System Configuration • Software Description • Provide a generic description of the software authorized for use on the system • Software Requirements • Identify limitations on the type of software that can be used • Identify protection requirements • Explain how software is introduced to the system • Address software development • Address malicious code 52 Configuration Management Plan and System Configuration • Change Control Procedures for Software • Addition of Software • Identify who authorizes the addition of software • Identify what types of software can be added and by whom • Explain the documentation requirements for adding software 53 Configuration Management Plan and System Configuration • Change Control Procedures for Software • Removal of Software • Identify who authorizes the removal of the software • Identify what types of software can be removed and by whom • Explain the documentation requirements for removing software • Other SSP Changes • Who is authorized to make changes to the security plan 54 14. System Specific Risks and Vulnerabilities 55 System Specific Risks and Vulnerabilities • Risk Assessment • Risk assessment is the process of analyzing threats and vulnerabilities of an IS and potential impact resulting from the loss of information or capabilities of a system. • You must identify if there are any unique local threats 56 15. Network Security 57 Network Security • Network Description • Describe your network • Unified • Interconnected • Network Management Protections • Describe any physical or logical protections for network devices and cabling 58 System Profile 59 • Profile • Contains specific technical information about the system • Must be compared to appropriate paragraph in the SSP • Does not contain routine procedures • Does contain special procedures 60 System Certification 61 • Certification • Physical inspection of your system • Written documentation to DSS that the system meets all NISPOM requirements • Certification Test Guide • NISP Tool 62 Summary • Required Documentation • Requirements of the SSP • Requirements of the profile • Certification 63 Questions 64