Post on 26-Dec-2015
1
Preparing a System Security Plan
2
Overview
Define a Security Plan
Pitfalls to avoid
Required Documents
Contents of the SSP
The profile
Certification
3
What is a System Security Plan (SSP)?
• The SSP is the user’s guide for operating your system.
• The SSP contains specific procedures and processes.
• Has two parts: Written instructions and a technical information.• The written instruction provides all the explanations and steps necessary for a non-technical user to operate the system.• The profile only list the technical information.
4
Pitfalls to avoid
• Failure to submit a cover letter
• Not providing detailed information
• Use of generic phrases e.g. If feasible, When applicable, If possible, etc
• Referring users to the profile for additional explanations
5
Pitfalls to avoid
• Failure to submit all required documents
• Completely re-writing a plan instead of only making suggested changes
• Failure to verify information in SSP to the profile
6
Required Documents
• Cover Letter
• SSP
• Profile
• Certification
• Network Security Plans or MOA/MOU for outside connections
• Customer letters
• Approved Variance letters
7
Preparing the Security Plan
8
• Cover Page
• Revision Log
9
Cover Page Requirements
• Facility Name and address
• Cage Code
• Type of Plan
• Protection Level
• Operating Environment
• Outside Connections
• Date and Revision number
Revision Log
• Must be completed with each revision.
10
1. Introduction
11
Introduction
• Purpose
• Identifies the purpose of the document
• Identifies the purpose of the System
• List of Attachments
12
Introduction
•Scope
• Identifies the range of operations
• Protection Level
• Classification Level
• Confidentiality, Integrity, Availability
• Type of system
• Categories of Information and formal access requirements
• Operating Environment
• Alternate Site Processing
13
2. Personnel Management
14
Personnel Responsibilities
• Contractor Management
• How is the security policy supported by Management
• ISSM Responsibilities
• May be listed exactly from the NISPOM
• ISSO Responsibilities
• May be listed exactly from the NISPOM or may be tailored to what you want this person to do.
• If using the ISSO Delegation Record, compare duties.
15
Personnel Responsibilities
• Users
• Privileged Users
• Other than the ISSM and ISSO.
• What are these users allowed to do on your system.
• General Users
• What are these users allowed to do on your system
16
3. Certification and Accreditation
17
Certification and Accreditation
• Certification
• Explain your certification process
• Accreditation
• Explain the accreditation process
• Reaccreditation
• Explain when reaccreditation is required and the process
18
Certification and Accreditation
• Certification of Similar Systems
• Certification process
• Define a similar system
•Security Testing
• Purpose
• Describe the frequency
• Self Inspections
• Describe the frequency
• Explain what will be inspected
19
4. System Identification and Requirements (SIRS)
20
System Identification and Requirements Specification
• Pure Servers (8-503)
• Provides non interactive service (e.g. messaging service)
• No user access
• No user code
This is the beginning of the technical information and procedures for your system.
21
System Identification and Requirements Specification
• Tactical, Embedded, Data Acquisition, and Special Purpose Systems (8-504)
• No General users
• No user code
• Mobile Systems (8-308)
• A system that is used for classified processing outside your facilities cage code.
• May be at another Contractor or a Government site
22
5. Protection Measures
23
Protection Measures
• Accounts and Logons
• Identification and Management
• Are logons being used
• Explain how you create unique user IDs
• Explain how authenticators (passwords) are created and passed to the user
24
Protection Measures
• Accounts and Logons
• Requirements for Passwords
• Identify password length
• Password lifetime
• Password complexity
• Guidelines for User Generated Passwords
• Explain the requirements users are to follow
25
Protection Measures
• Accounts and Logons
• Generic or Group Accounts
• Are these accounts authorized
• Explain the purpose
• Explain the access procedures
26
Protection Measures
• Session Controls
• Logon Banner Requirements
• Are you using the most current banner
• How is the banner displayed
• Action to remove the banner
27
Protection Measures
• Session Controls
• Successive Logon Attempt Controls
• Are they controlled?
•Define the number of unsuccessful logon attempts before the account is locked
• Explain your procedures for unlocking an account
• System Entry Conditions
• Explain how a user accesses the system
28
Protection Measures
• Access Controls
• Explain what technical and physical controls are in place to protect the system.
• BIOS Protection
• Boot Sequence
• Seals
• Removable Hard drive protection
29
Protection Measures
• Audit Requirements
• Frequency of Audits
• Audit Configuration and Settings
• Audit Management Overflow
• Manual Logs required to be audited
• List procedures if a variance is approved
30
Protection Measures
• System Recovery and Assurances
• Explain how you are going to recover and certify your system in a controlled manner
• Virus and Malicious Code Detection
• Explain how you will detect malicious code
• Explain procedures for updating antivirus definition files
• Data Transmission Protection
• Explain how data is transmitted
31
Protection Measures
• Clearance and Sanitization
• Clearing
• Authorized
• Method used
• Sanitization
• Authorized
• Method used
32
Protection Measures
• Protection Measure Variances
• Identify any approved variances
• Include a copy of the letter in the profile
33
6. Personnel Security
34
Personnel Security
• Personnel Access to IS
• Identify specific requirements users must meet before accessing the system
• Security Education
• Initial Training Requirements
• Explain your training requirements
• Ongoing IS Security Education Programs
• Describe your ongoing security education program
35
7. Physical Security
36
Physical Security
• Operating Environment
• You cannot identify multiple operating environments.
• Briefly describe your environment
37
8. Maintenance
38
Maintenance
• Facility Maintenance Policy
• Describe how maintenance will be performed and by whom
• Cleared Maintenance Personnel
• Uncleared Maintenance Personnel
• Explain procedures for using uncleared personnel
39
9. Media Controls
40
Media Controls
• Classified Media
• Define and provide examples
• Protected Media
• Define and provide examples
• Unclassified or Lower Classified Media
• Define and explain its use
• Media Destruction
• Explain how media is destroyed.
41
10. Output Procedures
42
Output Procedures
• Hardcopy Output Review
• Define and provide procedures for review
• Verify with hardware list to ensure you have a printer identified
• Media Review and Trusted Downloading
• Authorized
• Method used
• DSS Approved procedures
• Non Approved procedures
43
11. Upgrade and Downgrade Procedures
44
Upgrade and Downgrade Procedures
• These procedures are required if operating in a Restricted Area, MPF, when using removable hard drives, or when performing periods processing
• Procedures are specific to each system
• Upgrade/Startup Procedure• Compare to your Upgrade Log
• Downgrade/Shutdown Procedure• Compare to your Downgrade Log
• Periods Processing• Authorized
45
12. Markings
46
Marking
• IS Hardware Components
• List the documents that govern marking
• Classified marking requirements
• Markings for co-located systems
47
Marking
• Media
• Unclassified Media Markings
• Classified Media Markings
• Overall classification level
• Applicable special markings e.g. NATO,
• Unclassified Title
• Creation date
• Derived from
• Declassify on
48
13. Configuration Management Plan and System Configuration
49
Configuration Management Plan and System Configuration
• Configuration Management (CM)
• The Configuration Management Program ensures that protection features are implemented and maintained on the system. This includes a formal change control process of all security relevant aspects of the system.
• Specify who is responsible for authorizing security relevant changes
• Explain how changes are documented
• Explain how the CM process is evaluated and frequency
50
Configuration Management Plan and System Configuration
• System Configuration
• Hardware Description
• Provide a generic description of your hardware e.g. Desktops, laptops, networked, non networked, etc.
• List only the equipment that applies to your system
• Hardware Requirements
• Identify requirements that must be met prior to processing
51
Configuration Management Plan and System Configuration
Change Control Procedures for Hardware
• Addition of Hardware
• List procedures to be followed when adding hardware
• Removal of Hardware
• List procedures to be followed when adding software
• Reconfiguration of Hardware
• List procedures to be followed when reconfiguring hardware
• Who is authorized to reconfigure the system
52
Configuration Management Plan and System Configuration
• Software Description
• Provide a generic description of the software authorized for use on the system
• Software Requirements
• Identify limitations on the type of software that can be used
• Identify protection requirements
• Explain how software is introduced to the system
• Address software development
• Address malicious code
53
Configuration Management Plan and System Configuration
• Change Control Procedures for Software
• Addition of Software
• Identify who authorizes the addition of software
• Identify what types of software can be added and by whom
• Explain the documentation requirements for adding software
54
Configuration Management Plan and System Configuration
• Change Control Procedures for Software
• Removal of Software
• Identify who authorizes the removal of the software
• Identify what types of software can be removed and by whom
• Explain the documentation requirements for removing software
• Other SSP Changes
• Who is authorized to make changes to the security plan
55
14. System Specific Risks and Vulnerabilities
56
System Specific Risks and Vulnerabilities
• Risk Assessment
• Risk assessment is the process of analyzing threats and vulnerabilities of an IS and potential impact resulting from the loss of information or capabilities of a system.
• You must identify if there are any unique local threats
57
15. Network Security
58
Network Security
• Network Description
• Describe your network
• Unified
• Interconnected
• Network Management Protections
• Describe any physical or logical protections for network devices and cabling
59
System Profile
60
• Profile
• Contains specific technical information about the system
• Must be compared to appropriate paragraph in the SSP
• Does not contain routine procedures
• Does contain special procedures
61
System Certification
62
• Certification
• Physical inspection of your system
• Written documentation to DSS that the system meets all NISPOM requirements
• Certification Test Guide
• NISP Tool
63
Summary
• Required Documentation
• Requirements of the SSP
• Requirements of the profile
• Certification
64
Questions