1

Preparing a System Security Plan

2

Overview

Define a Security Plan

Pitfalls to avoid

Required Documents

Contents of the SSP

The profile

Certification

3

What is a System Security Plan (SSP)?

• The SSP is the user’s guide for operating your system.

• The SSP contains specific procedures and processes.

• Has two parts: Written instructions and a technical information.• The written instruction provides all the explanations and steps necessary for a non-technical user to operate the system.• The profile only list the technical information.

4

Pitfalls to avoid

• Failure to submit a cover letter

• Not providing detailed information

• Use of generic phrases e.g. If feasible, When applicable, If possible, etc

• Referring users to the profile for additional explanations

5

Pitfalls to avoid

• Failure to submit all required documents

• Completely re-writing a plan instead of only making suggested changes

• Failure to verify information in SSP to the profile

6

Required Documents

• Cover Letter

• SSP

• Profile

• Certification

• Network Security Plans or MOA/MOU for outside connections

• Customer letters

• Approved Variance letters

7

Preparing the Security Plan

8

• Cover Page

• Revision Log

9

Cover Page Requirements

• Facility Name and address

• Cage Code

• Type of Plan

• Protection Level

• Operating Environment

• Outside Connections

• Date and Revision number

Revision Log

• Must be completed with each revision.

10

1. Introduction

11

Introduction

• Purpose

• Identifies the purpose of the document

• Identifies the purpose of the System

• List of Attachments

12

Introduction

•Scope

• Identifies the range of operations

• Protection Level

• Classification Level

• Confidentiality, Integrity, Availability

• Type of system

• Categories of Information and formal access requirements

• Operating Environment

• Alternate Site Processing

13

2. Personnel Management

14

Personnel Responsibilities

• Contractor Management

• How is the security policy supported by Management

• ISSM Responsibilities

• May be listed exactly from the NISPOM

• ISSO Responsibilities

• May be listed exactly from the NISPOM or may be tailored to what you want this person to do.

• If using the ISSO Delegation Record, compare duties.

15

Personnel Responsibilities

• Users

• Privileged Users

• Other than the ISSM and ISSO.

• What are these users allowed to do on your system.

• General Users

• What are these users allowed to do on your system

16

3. Certification and Accreditation

17

Certification and Accreditation

• Certification

• Explain your certification process

• Accreditation

• Explain the accreditation process

• Reaccreditation

• Explain when reaccreditation is required and the process

18

Certification and Accreditation

• Certification of Similar Systems

• Certification process

• Define a similar system

•Security Testing

• Purpose

• Describe the frequency

• Self Inspections

• Describe the frequency

• Explain what will be inspected

19

4. System Identification and Requirements (SIRS)

20

System Identification and Requirements Specification

• Pure Servers (8-503)

• Provides non interactive service (e.g. messaging service)

• No user access

• No user code

This is the beginning of the technical information and procedures for your system.

21

System Identification and Requirements Specification

• Tactical, Embedded, Data Acquisition, and Special Purpose Systems (8-504)

• No General users

• No user code

• Mobile Systems (8-308)

• A system that is used for classified processing outside your facilities cage code.

• May be at another Contractor or a Government site

22

5. Protection Measures

23

Protection Measures

• Accounts and Logons

• Identification and Management

• Are logons being used

• Explain how you create unique user IDs

• Explain how authenticators (passwords) are created and passed to the user

24

Protection Measures

• Accounts and Logons

• Requirements for Passwords

• Identify password length

• Password lifetime

• Password complexity

• Guidelines for User Generated Passwords

• Explain the requirements users are to follow

25

Protection Measures

• Accounts and Logons

• Generic or Group Accounts

• Are these accounts authorized

• Explain the purpose

• Explain the access procedures

26

Protection Measures

• Session Controls

• Logon Banner Requirements

• Are you using the most current banner

• How is the banner displayed

• Action to remove the banner

27

Protection Measures

• Session Controls

• Successive Logon Attempt Controls

• Are they controlled?

•Define the number of unsuccessful logon attempts before the account is locked

• Explain your procedures for unlocking an account

• System Entry Conditions

• Explain how a user accesses the system

28

Protection Measures

• Access Controls

• Explain what technical and physical controls are in place to protect the system.

• BIOS Protection

• Boot Sequence

• Seals

• Removable Hard drive protection

29

Protection Measures

• Audit Requirements

• Frequency of Audits

• Audit Configuration and Settings

• Audit Management Overflow

• Manual Logs required to be audited

• List procedures if a variance is approved

30

Protection Measures

• System Recovery and Assurances

• Explain how you are going to recover and certify your system in a controlled manner

• Virus and Malicious Code Detection

• Explain how you will detect malicious code

• Explain procedures for updating antivirus definition files

• Data Transmission Protection

• Explain how data is transmitted

31

Protection Measures

• Clearance and Sanitization

• Clearing

• Authorized

• Method used

• Sanitization

• Authorized

• Method used

32

Protection Measures

• Protection Measure Variances

• Identify any approved variances

• Include a copy of the letter in the profile

33

6. Personnel Security

34

Personnel Security

• Personnel Access to IS

• Identify specific requirements users must meet before accessing the system

• Security Education

• Initial Training Requirements

• Explain your training requirements

• Ongoing IS Security Education Programs

• Describe your ongoing security education program

35

7. Physical Security

36

Physical Security

• Operating Environment

• You cannot identify multiple operating environments.

• Briefly describe your environment

37

8. Maintenance

38

Maintenance

• Facility Maintenance Policy

• Describe how maintenance will be performed and by whom

• Cleared Maintenance Personnel

• Uncleared Maintenance Personnel

• Explain procedures for using uncleared personnel

39

9. Media Controls

40

Media Controls

• Classified Media

• Define and provide examples

• Protected Media

• Define and provide examples

• Unclassified or Lower Classified Media

• Define and explain its use

• Media Destruction

• Explain how media is destroyed.

41

10. Output Procedures

42

Output Procedures

• Hardcopy Output Review

• Define and provide procedures for review

• Verify with hardware list to ensure you have a printer identified

• Media Review and Trusted Downloading

• Authorized

• Method used

• DSS Approved procedures

• Non Approved procedures

43

11. Upgrade and Downgrade Procedures

44

Upgrade and Downgrade Procedures

• These procedures are required if operating in a Restricted Area, MPF, when using removable hard drives, or when performing periods processing

• Procedures are specific to each system

• Upgrade/Startup Procedure• Compare to your Upgrade Log

• Downgrade/Shutdown Procedure• Compare to your Downgrade Log

• Periods Processing• Authorized

45

12. Markings

46

Marking

• IS Hardware Components

• List the documents that govern marking

• Classified marking requirements

• Markings for co-located systems

47

Marking

• Media

• Unclassified Media Markings

• Classified Media Markings

• Overall classification level

• Applicable special markings e.g. NATO,

• Unclassified Title

• Creation date

• Derived from

• Declassify on

48

13. Configuration Management Plan and System Configuration

49

Configuration Management Plan and System Configuration

• Configuration Management (CM)

• The Configuration Management Program ensures that protection features are implemented and maintained on the system. This includes a formal change control process of all security relevant aspects of the system.

• Specify who is responsible for authorizing security relevant changes

• Explain how changes are documented

• Explain how the CM process is evaluated and frequency

50

Configuration Management Plan and System Configuration

• System Configuration

• Hardware Description

• Provide a generic description of your hardware e.g. Desktops, laptops, networked, non networked, etc.

• List only the equipment that applies to your system

• Hardware Requirements

• Identify requirements that must be met prior to processing

51

Configuration Management Plan and System Configuration

Change Control Procedures for Hardware

• Addition of Hardware

• List procedures to be followed when adding hardware

• Removal of Hardware

• List procedures to be followed when adding software

• Reconfiguration of Hardware

• List procedures to be followed when reconfiguring hardware

• Who is authorized to reconfigure the system

52

Configuration Management Plan and System Configuration

• Software Description

• Provide a generic description of the software authorized for use on the system

• Software Requirements

• Identify limitations on the type of software that can be used

• Identify protection requirements

• Explain how software is introduced to the system

• Address software development

• Address malicious code

53

Configuration Management Plan and System Configuration

• Change Control Procedures for Software

• Addition of Software

• Identify who authorizes the addition of software

• Identify what types of software can be added and by whom

• Explain the documentation requirements for adding software

54

Configuration Management Plan and System Configuration

• Change Control Procedures for Software

• Removal of Software

• Identify who authorizes the removal of the software

• Identify what types of software can be removed and by whom

• Explain the documentation requirements for removing software

• Other SSP Changes

• Who is authorized to make changes to the security plan

55

14. System Specific Risks and Vulnerabilities

56

System Specific Risks and Vulnerabilities

• Risk Assessment

• Risk assessment is the process of analyzing threats and vulnerabilities of an IS and potential impact resulting from the loss of information or capabilities of a system.

• You must identify if there are any unique local threats

57

15. Network Security

58

Network Security

• Network Description

• Describe your network

• Unified

• Interconnected

• Network Management Protections

• Describe any physical or logical protections for network devices and cabling

59

System Profile

60

• Profile

• Contains specific technical information about the system

• Must be compared to appropriate paragraph in the SSP

• Does not contain routine procedures

• Does contain special procedures

61

System Certification

62

• Certification

• Physical inspection of your system

• Written documentation to DSS that the system meets all NISPOM requirements

• Certification Test Guide

• NISP Tool

63

Summary

• Required Documentation

• Requirements of the SSP

• Requirements of the profile

• Certification

64

Questions