Chat with us, powered by LiveChat Project 3 System Security Plan Field Office | All Paper
+1(978)310-4246 credencewriters@gmail.com
  

Attached,please find Project 3 – System Security Plan (Field Office)Project #3 Information System Security Plan Tem… (35.97 KB)Project #3 Red Clay Renovations IT Security Con… (84.23 KB)Project #3 System Security Plan v7.docx (54.12 KB)
project__3_a.docx

project__3_b.docx

project__3_c.docx

Unformatted Attachment Preview

Information System Security Plan
1. Information System Name/Title:
• Unique identifier and name given to the system. [use information from the case study]
2. Information System Categorization:
• Identify the appropriate system categorization [use the information from the case study].
3. Information System Owner:
• Name, title, agency, address, email address, and phone number of person who owns the system.
[Use the field office manager]
4. Authorizing Official:
• Name, title, agency, address, email address, and phone number of the senior management
official designated as the authorizing official. [Use the company’s Chief Information
Officer.]
5. Other Designated Contacts:
• List other key personnel, if applicable; include their title, address, email address, and phone
number. [include the CISO, the ISSO, and other individuals from the case study, if
appropriate]
6. Assignment of Security Responsibility:
• Name, title, address, email address, and phone number of person who is responsible for the
security of the system. [use the case study information]
7. Information System Operational Status:
• Indicate the operational status of the system. If more than one status is selected, list which part
of the system is covered under each status. [Use the case study information.]
8.0 Information System Type:
• Indicate if the system is a major application or a general support system. If the system contains
minor applications, list them in Section 9. General System Description/Purpose. [use the case
study information]
9.0 General System Description/Purpose
• Describe the function or purpose of the system and the information processes. [use the case
study information]
10. System Environment
• Provide a general description of the technical system. Include the primary hardware, software,
and communications equipment.
[use the case study information and diagrams. Add brand names, equipment types as required (if
not provided in the case study)]
11. System Interconnections/Information Sharing
1
Information System Security Plan
• List interconnected systems and system identifiers (if appropriate), provide the system name,
owning or providing organization, system type (major application or general support system)
… add a fictional date of agreement to interconnect, and the name of the authorizing official.
12. Related Laws/Regulations/Policies
• List any laws or regulations that establish specific requirements for the confidentiality,
integrity, or availability of the data in the system.
13. Minimum Security Controls
Use the security controls baseline as provided for this assignment. Include descriptive paragraphs for
each section. Cut and paste the tables from the provided security controls baseline to add the
individual security controls under each section. Use the sections and sub-sections as listed below.
13.1 Management Controls
[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]
13.1.1 [first control family]
[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]
13.1.2 [second control family]
…………
13.2 Operational Controls
[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]
13.2.1 [first control family]
13.2.2 [second control family]
…………..
13.3 Technical Controls
[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]
13.3.1 [ first control family]
13.3.2 [ second control family]
…………
Example:
2
Information System Security Plan
14. Information System Security Plan Completion Date: _____________________
• Enter the completion date of the plan.
15. Information System Security Plan Approval Date: _______________________
• Enter the date the system security plan was approved and indicate if the approval
documentation is attached or on file.
3
Project #3: IT Security Controls Baseline for Red Clay Renovations
To ensure compatibility with existing policy and documentation, Red Clay Renovations’ IT Security
policies, plans, and procedures will continue to use the following security control classes (management,
operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6).
Security Controls Baseline
Red Clay Renovations Security Controls Baseline shall include the security controls listed below. Security
control definitions and implementation guidance shall be obtained from the most recent version of NIST
Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and
Organizations.
1. AC: Access Controls (Technical Controls Category)
AC-1
AC-2
AC-3
AC-4
AC-5
AC-6
AC-7
AC-8
AC-11
AC-12
Access Control Policy and Procedures
Account Management
Access Enforcement
Information Flow Enforcement
Separation of Duties
Least Privilege
Unsuccessful Logon Attempts
System Use Notification
Session Lock
Session Termination
AC-1
AC-2 (1) (2) (3) (4)
AC-3
AC-4
AC-5
AC-6 (1) (2) (5) (9) (10)
AC-7
AC-8
AC-11 (1)
AC-12
AC-14
Permitted Actions without Identification or
AC-14
Authentication
AC-17
Remote Access
AC-17 (1) (2) (3) (4)
AC-18
Wireless Access
AC-18 (1)
AC-19
Access Control for Mobile Devices
AC-19 (5)
AC-20
Use of External Information Systems
AC-20 (1) (2)
AC-21
Information Sharing
AC-21
AC-22
Publicly Accessible Content
AC-22
2. AT: Awareness and Training (Operational Controls Category)
AT-1
AT-2
AT-3
AT-4
Security Awareness and Training Policy and
Procedures
Security Awareness Training
Role-Based Security Training
Security Training Records
AT-1
AT-2 (2)
AT-3
AT-4
3. AU: Audit and Accountability (Technical Controls Category)
AU-1
AU-2
AU-3
AU-4
AU-5
AU-6
AU-7
AU-8
AU-9
AU-10
AU-11
AU-12
Audit and Accountability Policy and Procedures
Audit Events
Content of Audit Records
Audit Storage Capacity
Response to Audit Processing Failures
Audit Review, Analysis, and Reporting
Audit Reduction and Report Generation
Time Stamps
Protection of Audit Information
Non-repudiation
Audit Record Retention
Audit Generation
AU-1
AU-2 (3)
AU-3 (1)
AU-4
AU-5
AU-6 (1) (3)
AU-7 (1)
AU-8 (1)
AU-9 (4)
Not Selected
AU-11
AU-12
4. CA: Security Assessment and Authorization (Management Controls Category)
CA-1
CA-2
CA-3
CA-5
CA-6
CA-7
CA-9
Security Assessment and Authorization Policies and
Procedures
Security Assessments
System Interconnections
Plan of Action and Milestones
Security Authorization
Continuous Monitoring
Internal System Connections
CA-1
CA-2 (1)
CA-3 (5)
CA-5
CA-6
CA-7 (1)
CA-9
5. CM: Configuration Management (Operational Controls Category)
CM-1
CM-2
CM-3
CM-4
CM-5
CM-6
CM-7
Configuration Management Policy and Procedures
Baseline Configuration
Configuration Change Control
Security Impact Analysis
Access Restrictions for Change
Configuration Settings
Least Functionality
CM-1
CM-2 (1) (3) (7)
CM-3 (2)
CM-4
CM-5
CM-6
CM-7 (1) (2) (4)
CM-8
CM-9
CM-10
CM-11
Information System Component Inventory
Configuration Management Plan
Software Usage Restrictions
User-Installed Software
CM-8 (1) (3) (5)
CM-9
CM-10
CM-11
6. Contingency Planning (Operational Controls Category)
CP-1
CP-2
CP-3
CP-4
CP-5
CP-6
CP-7
CP-8
CP-9
CP-10
Contingency Planning Policy and Procedures
Contingency Plan
Contingency Training
Contingency Plan Testing
Withdrawn
Alternate Storage Site
Alternate Processing Site
Telecommunications Services
Information System Backup
Information System Recovery and Reconstitution
CP-1
CP-2 (1) (3) (8)
CP-3
CP-4 (1)
–CP-6 (1) (3)
CP-7 (1) (2) (3)
CP-8 (1) (2)
CP-9 (1)
CP-10 (2)
7. IA: Identification and Authentication (Technical Controls Category)
IA-1
IA-2
IA-3
IA-4
IA-5
IA-6
IA-7
IA-8
Identification and Authentication Policy and
Procedures
Identification and Authentication (Organizational
Users)
Device Identification and Authentication
Identifier Management
Authenticator Management
Authenticator Feedback
Cryptographic Module Authentication
Identification and Authentication (Non-Organizational
Users)
IA-1
IA-2 (1) (2) (3) (8) (11) (12)
IA-3
IA-4
IA-5 (1) (2) (3) (11)
IA-6
IA-7
IA-8 (1) (2) (3) (4)
8. IR: Incident Response (Operational Controls Category)
IR-1
IR-2
IR-3
IR-4
IR-5
IR-6
IR-7
IR-8
Incident Response Policy and Procedures
Incident Response Training
Incident Response Testing
Incident Handling
Incident Monitoring
Incident Reporting
Incident Response Assistance
Incident Response Plan
IR-1
IR-2
IR-3 (2)
IR-4 (1)
IR-5
IR-6 (1)
IR-7 (1)
IR-8
9. MA: Maintenance (Operational Controls Category)
MA-1
MA-2
MA-3
System Maintenance Policy and Procedures
Controlled Maintenance
Maintenance Tools
MA-1
MA-2
MA-3 (1) (2)
MA-4
MA-5
Nonlocal Maintenance
Maintenance Personnel
MA-4 (2)
MA-5
10. MP: Media Protection (Operational Controls Category)
MP-1
MP-2
MP-3
MP-4
MP-5
MP-6
MP-7
Media Protection Policy and Procedures
Media Access
Media Marking
Media Storage
Media Transport
Media Sanitization
Media Use
MP-1
MP-2
MP-3
MP-4
MP-5 (4)
MP-6
MP-7 (1)
11. PE: Physical and Environmental Protection (Operational Controls Category)
PE-1
PE-2
PE-3
PE-4
PE-5
PE-6
PE-8
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14
PE-15
PE-16
PE-17
Physical and Environmental Protection Policy and
Procedures
Physical Access Authorizations
Physical Access Control
Access Control for Transmission Medium
Access Control for Output Devices
Monitoring Physical Access
Visitor Access Records
Power Equipment and Cabling
Emergency Shutoff
Emergency Power
Emergency Lighting
Fire Protection
Temperature and Humidity Controls
Water Damage Protection
Delivery and Removal
Alternate Work Site
PE-1
PE-2
PE-3
PE-4
PE-5
PE-6 (1)
PE-8
PE-9
PE-10
PE-11
PE-12
PE-13 (3)
PE-14
PE-15
PE-16
PE-17
12. PL: Planning (Management Controls Category)
PL-1
PL-2
PL-4
PL-8
Security Planning Policy and Procedures
System Security Plan
Rules of Behavior
Information Security Architecture
PL-1
PL-2 (3)
PL-4 (1)
PL-8
13. PS: Personnel Security (Operational Controls Category)
PS-1
PS-2
Personnel Security Policy and Procedures
Position Risk Designation
PS-1
PS-2
PS-3
PS-4
PS-5
PS-6
PS-7
PS-8
Personnel Screening
Personnel Termination
Personnel Transfer
Access Agreements
Third-Party Personnel Security
Personnel Sanctions
PS-3
PS-4
PS-5
PS-6
PS-7
PS-8
14. RA: Risk Assessment (Management Controls Category)
RA-1
RA-2
RA-3
RA-5
Risk Assessment Policy and Procedures
Security Categorization
Risk Assessment
Vulnerability Scanning
RA-1
RA-2
RA-3
RA-5 (1) (2) (5)
15. SA: System and Services Acquisition (Management Controls Category)
SA-1
SA-2
SA-3
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
System and Services Acquisition Policy and Procedures
Allocation of Resources
System Development Life Cycle
Acquisition Process
Information System Documentation
Security Engineering Principles
External Information System Services
Developer Configuration Management
Developer Security Testing and Evaluation
SA-1
SA-2
SA-3
SA-4 (1) (2) (9) (10)
SA-5
SA-8
SA-9 (2)
SA-10
SA-11
16. SC: System and Communications Protection (Technical Controls Category)
SC-1
SC-5
SC-7
SC-8
SC-18
SC-19
SC-28
SC-39
System and Communications Protection Policy and
Procedures
Denial of Service Protection
Boundary Protection
Transmission Confidentiality
Mobile Code
Voice Over Internet Protocol
Protection of Information at Rest
Process Isolation
SC-1
SC-5
SC-7
SC-8
SC-18
SC-19
SC-28
SC-39
17. SI: System and Information Integrity (Operational Controls Category)
SI-1
SI-2
SI-3
SI-4
SI-5
SI-7
SI-8
SI-10
System and Information Integrity Policy and Procedures
Flaw Remediation
Malicious Code Protection
Information System Monitoring
Security Alerts, Advisories, and Directives
Software, Firmware, and Information Integrity
Spam Protection
Information Input Validation
SI-1
SI-2 (2)
SI-3 (1) (2)
SI-4 (2) (4) (5)
SI-5
SI-7 (1) (7)
SI-8 (1) (2)
SI-10
SI-11
SI-12
SI-16
Error Handling
Information Handling and Retention
Memory Protection
SI-11
SI-12
SI-16
18. PM: Program Management (Management Controls Family)
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
PM-12
PM-13
PM-14
PM-15
PM-16
Information Security Program Plan
Senior Information Security Officer
Information Security Resources
Plan of Action and Milestones Process
Information System Inventory
Information Security Measures of Performance
Enterprise Architecture
Critical Infrastructure Plan
Risk Management Strategy
Security Authorization Process
Mission/Business Process Definition
Insider Threat Program
Information Security Workforce
Testing, Training, and Monitoring
Contacts with Security Groups and Associations
Threat Awareness Program
all
all
all
all
all
all
all
all
all
all
all
all
all
all
all
all
CSIA 413: Cybersecurity Policy, Plans, and Programs
Project #3: System Security Plan
WARNING: YOU MUST PARAPHRASE INFORMATION USED IN THIS ASSIGNMENT. Copy/Paste
is only allowed for the names and designators of security controls and/or control families. All other
information used in this assignment must be rewritten into your own words.
Company Background & Operating Environment
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the
renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating
homes using “smart home” and “Internet of Things” technologies while maintaining period correct
architectural characteristics. Please refer to the company profile (file posted in Week 1 > Content > CSIA
413 Red Clay Renovations Company Profile.docx) for background information and information about the
company’s operating environment. In addition to the information from the company profile, you should:


Use the Wilmington Headquarters (staff) office as the target for the System Security
Plan
Use Verizon FiOS as the Internet Services Provider (see
http://www.verizonenterprise.com/terms/us/products/internet/sla/ )
Policy Issue & Plan of Action
A recent risk assessment highlighted the need to formalize the security measures required to
protect information, information systems, and the information infrastructures for the company’s
headquarters and field offices. This requirement has been incorporated into the company’s risk
management plan and the company’s CISO has been tasked with developing, documenting, and
implementing the required security measures. The IT Governance board also has a role to play since it
must review and approve all changes which affect IT systems under its purview.
The CISO has proposed a plan of action which includes developing system security plans using
guidance from NIST SP-800-18 Guide for Developing Security Plans for Federal Information Systems.
The IT Governance board, after reviewing the CISO’s proposed plan of action, voted and accepted this
recommendation. In its discussions prior to the vote, the CISO explained why the best practices
information for security plans from NIST SP 800-18 was suitable for the company’s use. The board also
accepted the CISO’s recommendation for creating a single System Security Plan for a General Support
System since, in the CISO’s professional judgement, this type of plan would best meet the
“formalization” requirement from the company’s recently adopted risk management strategy.
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research and then draft the
required system security plan for a General Support System. In your research so far, you have learned
that:
Copyright ©2019 by University of Maryland University College. All Rights Reserved
CSIA 413: Cybersecurity Policy, Plans, and Programs




A general support system is defined as “an interconnected set of information resources
under the same direct management control that shares common functionality.” (See
NIST SP 800-18)
The Chief of Staff for the company is the designated system owner for the IT support
systems in the Wilmington, DC headquarters offices.
The system boundaries for the Wilmington, DE office’s General Support System have
already been documented in the company’s enterprise architecture (see the case study).
The security controls required for the Wilmington, DE office’s IT systems have been
documented in a security controls baseline (see the controls baseline attached to this
assignment).
Section 13 of this document will take you the most time to research and write because it
requires the most original writing on your part. You must write a description for EACH CONTROL
CATEGORY (managerial, operational, and technical). Then, paste in the table from the Security
Controls Baseline. THEN, write a descriptive paragraph explaining how these specific controls
will work together to protect the Red Clay Renovations IT Infrastructure for the Wilmington, DE
Offices (Headquarters).
URLs for Recommended Resources For This Project
Title
Service Level Agreement (SLA) Internet
Dedicated Services | Verizon Enterprise
NIST SP 800-100 Information Security
Handbook: A Guide for Managers
NIST SP 800-12 R1: An Introduction to
Information Security
NIST SP 800-18: Guide for Developing
Security Plans for Federal Information
Systems
NIST SP 800-53 Security and Privacy
Controls for Federal Information
Systems and Organizations
Type
Web
Page
PDF
Link
http://www.verizonenterprise.com/terms/us/pr
oducts/internet/sla /
https://doi.org/10.6028/NIST.SP.800-100
PDF
https://nvlpubs.nist.gov/nistpubs/SpecialPublica
tions/NIST.SP.800-12r1.pdf
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nist
specialpublication800-18r1.pdf
PDF
PDF
http://nvlpubs.nist.gov/nistpubs/SpecialPublicat
ions/NIST.SP.800-53r4.pdf
Research:
1. Review the information provided in the case study and in this assignment, especially the
information about the headquarters and field offices and the IT systems and networks used in
their day to day business affairs.
Copyright ©2019 by University of Maryland University College. All Rights Reserved
CSIA 413: Cybersecurity Policy, Plans, and Programs
2. Review NIST’s guidance for developing a System Security Plan for a general support IT System.
This information is presented in
a. NIST SP 800-12 R1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80012r1.pdf Pay special attention to Chapter 2 and Section 5.4
b. NIST SP 800-18. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80018r1.pdf Pay special attention to the Sample Information System Security Plan template
provided in Appendix A.
3. Review the definitions for IT Security control families as documented in NIST SP 800-12 R1
Chapter 10. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
4. Review the definitions for individual controls as listed in Appendix F Security Control Catalog in
NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf You should focus on
those controls listed in the security controls baseline provided with this assignment.
Write:
1. Use the following guidance to complete the System Security Plan using the template from
Appendix A of NIST SP 800-18.
a. Sections 1 through 10 will contain information provided in the assigned case study. You
may need to “interpret” that information when writing the descriptions. “Fill in the
blanks” for information about the company or its managers which is not provided in the
case study, i.e. names, email addresses, phone numbers, etc.). Make sure that your
fictional information is consistent with information provided in the case study (name of
company, locations, etc.).
b. Section 11 should contain information about the Wilmington, DE headquarters office’s
Internet connection Do not include the table. Use the business Internet Services
Provider listed at the top of this assignment file. Describe the system interconnection
type in this section and service level agreement.
c. Section 12 should contain information derived from the case study. You will need to
identify the types of information processed in the headquarters offices and then list the
laws and reg …
Purchase answer to see full
attachment