System Security Plans 101

SYSTEM SECURITY PLANS 101

DONALD E. HESTERCISSP, CISA, CAP, MCT, MCSE SECURITY, MCSA SECURITY, MCDST, SECURITY+, CTT+, MV

Maze & Associates © 2007

PAPER TIGER?

• GCN, February 2007, Reported a pair of security experts say FISMA is fundamentally flawed.

• “FISMA wasn’t written badly, but the measuring system they are using is broken. What we measure now is, ‘Do you have a plan?’ Not whether the plan actually improves security. Too often, the plans do not improve security”


NO PAPER TIGER

• Avoid the danger of turning your security plan into a bureaucratic ‘check the box’

• Should be– Single reference for what needs to be secured– Documents controls– Support oversight, planning and budget– Document compliance


PLAN LIFE CYCLE

Plan Initiation

Plan Development

Plan ImplementationPlan Maintenance

Recertification or Retirement


RESPONSIBLE FOR THE PLAN

• System Owner, is responsible for the plan• Can delegate preparation of the plan• Cannot delegate responsibility• Should be familiar with the system• Multiple people will contribute

• Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls.


PLAN CONTENTS

• System Description• Description of Controls• System Security Roles & Responsibilities• External Requirements• Information Categories• Interconnectivity with the system• Certification Level• Plan Information


SYSTEM BOUNDARY• Flexibility in determination

of the system• Generally under the same

management control & usually locally group systems

• May contain multiple subsystems

• System Security Plan will have diagrams showing the system boundary

System 1

Subsystem A

Subsystem B

Subsystem C



BASELINE SECURITY CONTROLS

• Selection of baseline security controls is based on system categorization

• For this system you would select Moderate controls from NIST SP 800-53 Rev. 1 (High watermark)

Information Criteria Security Impact

Confidentiality Low / Moderate / High

Integrity Low / Moderate / High

Availability Low / Moderate / High

Based on: NIST SP 800-60 and FIPS Pub 199


IMPLEMENTATION DETAIL

• Control selection based on Risk Assessment• Fully describe the how the control is

implemented• Document differences with subsystems• Compensating Controls• Common Controls• Hybrid Controls• Tailored Controls


SUBSYSTEM EXAMPLE

Implementation Detail: Subsystem 1Control satisfied via the following: A configuration management system

retrieves a baseline configuration from all network devices and reports changes via a version control system. The checklist for installation includes a requirement to register new devices in the version control system. The system compares deltas in configurations and notifies technical staff about changes.

Subsystem 2Control satisfied via the CIS benchmark documentation which records

what has changed in the baseline. Center Code XXX performs vulnerability Scans on a regular basis. XXX reports changes system admin evaluates materiality.


COMPENSATING CONTROLS

“Compensating security controls are the management, operational, or technical controls used by an agency in lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or comparable protection for an information system.”

Source: NIST SP 800-100 § 8.4.4


COMPENSATING CONTROLS

1 •Select controls from 800-53

2 •Complete and convincing rationale

3 •Assess and formally accept risk


COMMON CONTROLS

1 •Agency has developed on documented common controls

2 •Agency has assigned responsibility of the common control

3 •Systems owners should be made aware

4 •Expert in the common control consulted

5 •Agency or Center Common Control


COMMON CONTROL EXAMPLE

• Implementation Detail: • Common Control: Item (i) Control satisfied via

NPR 2810.1A, Security of Information Technology, Chapter 19 – Identification and Authentication, and Chapter 20 – Logical Access Controls. Item(ii) defined by ITS-SOP-0037, NASA Common Access Controls Procedures for IT Systems (when finalized).


HYBRID CONTROLS

• A portion of the control is outside the control or scope of the system owner

• For example physical security may be handled at the gate and building level by guard service, while access to the computer room is handled by system staff.

• Document what is done by whom• Coordination between responsible parties


HYBRID CONTROL EXAMPLEPS-3 PERSONNEL SCREENINGControl: The organization screens individuals requiring access to organizational

information and information systems before authorizing access.

Implementation Detail:Center Hybrid Control; see System Owner action(s) needed Control is satisfied via the following: Center Code XXX Actions:All Center Level access is managed by center code XXX. Center Code YYY Actions:Civil Servants and contractors are screened by Human Resources (Code YYY). System Owner Action: Access is not granted to users until screening by XXX and YYY. No screening beyond

what is provided by Code XXX and YYY.


SCOPING GUIDANCE• System security plans should clearly identify which

security controls used scoping guidance and include a description of the type of considerations that were made.

• Reasons for tailored controls– Assessment of risk– Organization-specific security requirements– Specific treat information– Cost-benefit analyses– Availability of compensating controls– Special circumstances

Source: NIST SP 800-100 § 8.4.1


SCOPING GUIDANCE EXAMPLE

• PE-11 EMERGENCY POWER• Control: The organization provides a short-term

uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.

• System consists of desktop computersCriteria Rating

Confidentiality Moderate

Availability Low

Integrity Low


SCOPING GUIDANCE EXAMPLE

• Implementation Detail: • Control not implemented, applied scoping guidance

per NIST SP 800-53 rev.1 pages 18-20. • Desktop systems do not need uninterruptible power

supply. Removing this control does not affect the security-relevant information within the system. System rated moderate for confidentiality and low for availability, control addresses availability not confidentiality. Systems with low availability do not require uninterruptible power supplies.


PLAN MAINTENANCE

Plan Initiation

Plan Development

Plan ImplementationPlan Maintenance

Recertification or Retirement


PLAN MAINTENANCE

• Keep the plan up-to-date• Don’t wait until recertification to update the

plan• Review of the plan should occur prior to any

major change• It has to be a living document• May trigger a recertification


WHAT IT IS NOT

• The System Security Plan is not proof of the existence of controls

• Cross reference procedures do not duplicate them (Hyperlink and name and location of documentation)

• It is not a security procedures manual• Plan should not be lengthy and unusable

CONTACT INFODonald E. HesterCISSP, CISA, CAP, MCT, MCSE Security, MCSA Security, MCDST, Security+, CTT+, MVMaze & Associates / San Diego City CollegeEmail: [email protected] https://www.linkedin.com/in/donaldehester