System Security Plan Instructions

advertisement
STANDARD
System Security Plan Instructions
Contents
System Name and Identifier
2
System Categorization
2
System Point of Contact (POC)
4
Authorizing Official (System Owner)
4
Other Designated Contacts
4
Assignment of Security Responsibility
4
System Operational Status
5
Information System Type
5
General Description/Purpose
5
System Environment
5
System Interconnection/Information Sharing
5
Laws, Regulations, and Policies Affecting the System
6
Security Control Selection
6
Completion Date
6
Approval Date
6
Ongoing SSP Maintenance
7
Standard: System Security Plan
Page 1 of 7
The System Security Plan (SSP) template should be completed during the ISDM Phase 2 (Scope Definition). The
intent is that this will get team members thinking about security considerations for the system and begin
identifying high-level requirements. In ISDM Phase 3 (Requirements Analysis), the project team will complete
the System Security Checklist (SSC) and will identify specific security requirements that should be designed into
the system and/or project.
System Name and Identifier
The first item listed in the SSP is the system name and identifier. Each system should be assigned a
name and acronym. Assignment of a unique identifier supports the agency's ability to easily collect
agency information and security metrics specific to the system as well as facilitate complete
traceability to all requirements related to system implementation and performance. This identifier may
change during the life of the system and be retained in audit logs related to system use.
System Categorization
Each system should be categorized using FIPS 199. Legacy systems may not have a completed SSP, as
a result some systems may lack this categorization. However, any system that flows through the ISDM
going forward will be categorized. NIST Special Publication 800-60, Guide for Mapping Types of
Information and Information Systems to Security Categories, provides implementation guidance in
completing this activity. See Table 1 for a summary of FIPS 199 categories.
Security categories (SC) can be applied to information systems. Per FIPS 200, an information system is
a set of resources organized for the collection, processing, maintenance, use, sharing, dissemination, or
disposition of information. For system classification, see this example:


A system will manage public information on a web server, the potential impact from a loss of
confidentiality is not applicable (N/A), the potential impact from a loss of integrity is moderate,
and the potential impact from a loss of availability is moderate, This results in the following SC:
o SC public information = {(confidentiality, N/A), (integrity, moderate), (availability,
moderate)}
A system will manage personally identifiable information (PII) on a web server, the potential
impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is
moderate, and the potential impact from a loss of availability is moderate, This results in the
following SC:
o SC PII = {(confidentiality, moderate), (integrity, moderate), (availability, moderate)}
Standard: System Security Plan
Page 2 of 7
Table 1: FIPS 199 Categorization
POTENTIAL IMPACT
Security Objective
LOW
MODERATE
HIGH
Confidentiality
The unauthorized
disclosure of information
could be expected to have
a limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The unauthorized
disclosure of information
could be expected to have
a serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The unauthorized
disclosure of information
could be expected to
have a severe or
catastrophic adverse
effect on organizational
operations,
organizational assets, or
individuals.
The unauthorized
modification or destruction
of information could be
expected to have a limited
adverse effect on
organizational operations,
organizational assets, or
individuals.
The unauthorized
modification or destruction
of information could be
expected to have a serious
adverse effect on
organizational operations,
organizational assets, or
individuals.
The unauthorized
modification or
destruction of
information could be
expected to have a
severe or catastrophic
adverse effect on
organizational
operations,
organizational assets, or
individuals.
The disruption of access to
or use of information or an
information system could
be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.
The disruption of access to
or use of information or an
information system could
be expected to have a
serious adverse effect on
organizational operations,
organizational assets, or
individuals.
The disruption of access
to or use of information
or an information system
could be expected to
have a severe or
catastrophic adverse
effect on organizational
operations,
organizational assets, or
individuals.
Preserving authorized restrictions on
information access and disclosure,
including means for protecting personal
privacy and proprietary information.
[44 U.S.C., SEC. 3542]
Integrity
Guarding against improper information
modification or destruction, and includes
ensuring information non-repudiation and
authenticity.
[44 U.S.C., SEC. 3542]
Availability
Ensuring timely and reliable access to and
use of information.
[44 U.S.C., SEC. 3542]
Standard: System Security Plan
Page 3 of 7
System Point of Contact (POC)
A designated system POC must be identified in the SSP for each system. This person is the key POC for
the system and is responsible for coordinating system development life cycle (SDLC) activities specific
to the system. It is important that this person have expert knowledge of the system capabilities and
functionality. The assignment of a system owner should be documented in writing and the plan should
include the following contact information:
•
•
•
•
•
•
Name
Title
Agency
Address
Phone Number
Email Address
Authorizing Official (System Owner)
An authorizing official must be identified in the SSP for each system. This person is the senior
management official who has the authority to authorize an information system (major application or
general support system) and accept the residual risk associated with the system. The assignment of the
authorizing official should be documented in the SSP. The Plan must include the same contact
information listed in Section 3.
Other Designated Contacts
This section should include names of other key contact personnel who can address inquiries regarding
system characteristics and operation. The same information listed in Section 3 should be included for
each person listed under this section. If a Project Scope Statement or Project Management Plan exists,
please reference the appropriate section of that document.
Assignment of Security Responsibility
At DFS, the Information Security Manager (ISM) is assigned responsibility for the Department’s
Information Security Program. As a result, the template is pre-populated with the name and contact
information of the ISM. The ISM may delegate this role to another qualified DFS employee on a caseby-case basis. The delegation must be documented via email and noted in the Plan. The same contact
information, as listed under Section 3, should be provided for these individuals.
Standard: System Security Plan
Page 4 of 7
System Operational Status
Indicate one or more of the following for the system's operational status. If more than one status is
selected, list which part of the system is covered under each status.
•
•
•
Operational: The system is in production.
Under Development: The system is being designed, developed, or implemented.
Undergoing a major modification: The system is undergoing a major conversion or transition.
Information System Type
In this section of the plan, indicate whether the system is a strategic business application or general
support system. If the system contains minor applications, describe them in the General
Description/Purpose section of the plan.
General Description/Purpose
Prepare a brief description (one to three paragraphs) of the function and purpose of the system (e.g.,
state’s accounting system, insurance agent licensing system, learning management system). Include a
list of user organizations, whether they are internal or external to the system owner's agency.
System Environment
Provide a brief (one to three paragraphs) general description of the technical system. Include any
environmental or technical factors that raise special security concerns, such as use of smart phones,
tablets, wireless technology, Criminal Justice Information, HIPAA data, etc. Typically, operational
environments are as follows:
System Interconnection/Information Sharing
System interconnection is the direct connection of two or more IT systems for the purpose of sharing
information resources. System interconnection, if not appropriately protected, may result in a
compromise of all connected systems and the data they store, process, or transmit. It is important that
system owners, information owners, and management obtain as much information as possible
regarding vulnerabilities associated with system interconnections and information sharing. This is
essential to selecting the appropriate controls required to mitigate those vulnerabilities. If a
Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) is needed or is in place
between interconnected systems or entities indicate here.
In this section, for each interconnection between systems that are owned or operated by different
organizations, provide the following information concerning the authorization for the connection to
Standard: System Security Plan
Page 5 of 7
other systems or the sharing of information:
•
•
•
•
•
•
•
•
Name of system
Organization orDivision
Type of interconnection (direct interface with database, FTP, etc.)
Authorizations for interconnection (MOU/MOA/Statute/Management)
Date of agreement
FIPS 199 Category [Low|Moderate|High]
Has system been through ISDM? [Yes|No]
Name and title of authorizing official(s)
For systems with numerous interconnections, a table format including the above information may be a
good way to present the information.
Laws, Regulations, and Policies Affecting the System
List any laws, regulations, or policies that establish specific requirements for confidentiality, integrity,
or availability of the system and information retained by, transmitted by, or processed by the system.
General agency security requirements need not be listed since they mandate security for all systems.
Each agency should decide on the level of laws, regulations, and policies to include in the system
security plan. Examples might include the FBI’s Criminal Justice Information Security (CJIS) Policy,
HIPAA, statutes defining confidential data, etc, or a specific statute or regulation concerning the
information processed.
Security Control Selection
Please complete the SSC in Phase 3 to cover security control selection.
Completion Date
The completion date of the SSP should be provided. The completion date should be updated whenever
the plan is updated. When the system is updated, the version number in the title should be updated.
Approval Date
The approval date of the SSP should be provided. The approval date is the date the authorizing official,
or his/her designee, approved the plan. Approval documentation, i.e., email approval, should be on file
or included with the plan.
Standard: System Security Plan
Page 6 of 7
Ongoing SSP Maintenance
Once the SSP is developed, it is important to periodically assess the plan, review any change in system
status, functionality, design, etc., and ensure that the plan continues to reflect the correct information
about the system. This documentation and its correctness are critical. All plans should be reviewed and
updated, if appropriate, annually. Some items to consider in the review are:
•
•
•
•
•
•
•
•
Change in information system owner;
Change in information security representative;
Change in system architecture;
Change in system status;
Additions/deletions of system interconnections;
Change in system scope;
Change in authorizing official; and
Change in certification and accreditation status.
Standard: System Security Plan
Page 7 of 7
Download