Upload
donald-hester
View
107
Download
0
Tags:
Embed Size (px)
DESCRIPTION
System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not
Citation preview
SYSTEM SECURITY PLANS 101
DONALD E. HESTERCISSP, CISA, CAP, MCT, MCSE SECURITY, MCSA SECURITY, MCDST, SECURITY+, CTT+, MV
Maze & Associates © 2007
PAPER TIGER?
• GCN, February 2007, Reported a pair of security experts say FISMA is fundamentally flawed.
• “FISMA wasn’t written badly, but the measuring system they are using is broken. What we measure now is, ‘Do you have a plan?’ Not whether the plan actually improves security. Too often, the plans do not improve security”
Maze & Associates © 2007
NO PAPER TIGER
• Avoid the danger of turning your security plan into a bureaucratic ‘check the box’
• Should be– Single reference for what needs to be secured– Documents controls– Support oversight, planning and budget– Document compliance
Maze & Associates © 2007
PLAN LIFE CYCLE
Plan Initiation
Plan Development
Plan ImplementationPlan Maintenance
Recertification or Retirement
Maze & Associates © 2007
RESPONSIBLE FOR THE PLAN
• System Owner, is responsible for the plan• Can delegate preparation of the plan• Cannot delegate responsibility• Should be familiar with the system• Multiple people will contribute
• Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls.
Maze & Associates © 2007
PLAN CONTENTS
• System Description• Description of Controls• System Security Roles & Responsibilities• External Requirements• Information Categories• Interconnectivity with the system• Certification Level• Plan Information
Maze & Associates © 2007
SYSTEM BOUNDARY• Flexibility in determination
of the system• Generally under the same
management control & usually locally group systems
• May contain multiple subsystems
• System Security Plan will have diagrams showing the system boundary
System 1
Subsystem A
Subsystem B
Subsystem C
Maze & Associates © 2007
Maze & Associates © 2007
BASELINE SECURITY CONTROLS
• Selection of baseline security controls is based on system categorization
• For this system you would select Moderate controls from NIST SP 800-53 Rev. 1 (High watermark)
Information Criteria Security Impact
Confidentiality Low / Moderate / High
Integrity Low / Moderate / High
Availability Low / Moderate / High
Based on: NIST SP 800-60 and FIPS Pub 199
Maze & Associates © 2007
IMPLEMENTATION DETAIL
• Control selection based on Risk Assessment• Fully describe the how the control is
implemented• Document differences with subsystems• Compensating Controls• Common Controls• Hybrid Controls• Tailored Controls
Maze & Associates © 2007
SUBSYSTEM EXAMPLE
Implementation Detail: Subsystem 1Control satisfied via the following: A configuration management system
retrieves a baseline configuration from all network devices and reports changes via a version control system. The checklist for installation includes a requirement to register new devices in the version control system. The system compares deltas in configurations and notifies technical staff about changes.
Subsystem 2Control satisfied via the CIS benchmark documentation which records
what has changed in the baseline. Center Code XXX performs vulnerability Scans on a regular basis. XXX reports changes system admin evaluates materiality.
Maze & Associates © 2007
COMPENSATING CONTROLS
“Compensating security controls are the management, operational, or technical controls used by an agency in lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or comparable protection for an information system.”
Source: NIST SP 800-100 § 8.4.4
Maze & Associates © 2007
COMPENSATING CONTROLS
1 •Select controls from 800-53
2 •Complete and convincing rationale
3 •Assess and formally accept risk
Maze & Associates © 2007
COMMON CONTROLS
1 •Agency has developed on documented common controls
2 •Agency has assigned responsibility of the common control
3 •Systems owners should be made aware
4 •Expert in the common control consulted
5 •Agency or Center Common Control
Maze & Associates © 2007
COMMON CONTROL EXAMPLE
• Implementation Detail: • Common Control: Item (i) Control satisfied via
NPR 2810.1A, Security of Information Technology, Chapter 19 – Identification and Authentication, and Chapter 20 – Logical Access Controls. Item(ii) defined by ITS-SOP-0037, NASA Common Access Controls Procedures for IT Systems (when finalized).
Maze & Associates © 2007
HYBRID CONTROLS
• A portion of the control is outside the control or scope of the system owner
• For example physical security may be handled at the gate and building level by guard service, while access to the computer room is handled by system staff.
• Document what is done by whom• Coordination between responsible parties
Maze & Associates © 2007
HYBRID CONTROL EXAMPLEPS-3 PERSONNEL SCREENINGControl: The organization screens individuals requiring access to organizational
information and information systems before authorizing access.
Implementation Detail:Center Hybrid Control; see System Owner action(s) needed Control is satisfied via the following: Center Code XXX Actions:All Center Level access is managed by center code XXX. Center Code YYY Actions:Civil Servants and contractors are screened by Human Resources (Code YYY). System Owner Action: Access is not granted to users until screening by XXX and YYY. No screening beyond
what is provided by Code XXX and YYY.
Maze & Associates © 2007
SCOPING GUIDANCE• System security plans should clearly identify which
security controls used scoping guidance and include a description of the type of considerations that were made.
• Reasons for tailored controls– Assessment of risk– Organization-specific security requirements– Specific treat information– Cost-benefit analyses– Availability of compensating controls– Special circumstances
Source: NIST SP 800-100 § 8.4.1
Maze & Associates © 2007
SCOPING GUIDANCE EXAMPLE
• PE-11 EMERGENCY POWER• Control: The organization provides a short-term
uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
• System consists of desktop computersCriteria Rating
Confidentiality Moderate
Availability Low
Integrity Low
Maze & Associates © 2007
SCOPING GUIDANCE EXAMPLE
• Implementation Detail: • Control not implemented, applied scoping guidance
per NIST SP 800-53 rev.1 pages 18-20. • Desktop systems do not need uninterruptible power
supply. Removing this control does not affect the security-relevant information within the system. System rated moderate for confidentiality and low for availability, control addresses availability not confidentiality. Systems with low availability do not require uninterruptible power supplies.
Maze & Associates © 2007
PLAN MAINTENANCE
Plan Initiation
Plan Development
Plan ImplementationPlan Maintenance
Recertification or Retirement
Maze & Associates © 2007
PLAN MAINTENANCE
• Keep the plan up-to-date• Don’t wait until recertification to update the
plan• Review of the plan should occur prior to any
major change• It has to be a living document• May trigger a recertification
Maze & Associates © 2007
WHAT IT IS NOT
• The System Security Plan is not proof of the existence of controls
• Cross reference procedures do not duplicate them (Hyperlink and name and location of documentation)
• It is not a security procedures manual• Plan should not be lengthy and unusable
CONTACT INFODonald E. HesterCISSP, CISA, CAP, MCT, MCSE Security, MCSA Security, MCDST, Security+, CTT+, MVMaze & Associates / San Diego City CollegeEmail: [email protected] https://www.linkedin.com/in/donaldehester