System Security Plan (ssp) Categorization: Moderate-Low-Low



Yüklə 1,92 Mb.
səhifə21/29
tarix16.05.2018
ölçüsü1,92 Mb.
#50588
1   ...   17   18   19   20   21   22   23   24   ...   29

10.18Planning (PL)

10.18.1PL-1 – Security Planning Policy and Procedures


Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.

10.18.2PL-2 – System Security Plan





Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



System Security Plans (SSPs) shall be classified in accordance with the Program Security Classification Guide (SCG) and in order to minimize OPSEC indicators.

The organization:

Develops a security plan for the IS that:

  • Conforms to the SSP template as provided by the ISSM

  • Is consistent with the enterprise architecture.

  • Explicitly defines the authorization boundary for the system.

  • Describes the operational context of the information system in terms of missions and business processes.

  • Describes the CONOPS for the information system including, at a minimum, the purpose of the system and a description of the system architecture.

  • Provides the impact levels for Confidentiality, Integrity and Availability of the information system including supporting rationale.

  • Describes the functional architecture for the information system that identifies:

  • External interfaces, the information being exchanged across the interfaces, and the protection mechanisms associated with each interface.

  • User roles and the access privileges assigned to each role.

  • Unique security requirements.

  • Types of information processed, stored, or transmitted by the information system and any specific protection needs in accordance with applicable federal laws, EOs, directives, policies, regulations, standards, and guidance (to include any unique requirements of the Information Owner/Steward).

  • Restoration priority of information or information system services.

  • Describes the operational environment for the information system.

  • Describes relationships with or connections to other information systems, include ISAs and ATCs, as applicable.

  • Identifies the security requirements for the information system, as captured in the SCTM. See Appendix C for guidance on SCTM creation.

  • Identifies controls tailored in or tailored out by the AO.

  • Identifies any exceptions, which denotes a control or part of a control that is not met and is an accepted risk by the AO. Exceptions should also be captured on the POA&M unless otherwise directed by the AO.

  • Identifies the type of control (common, system specific, or hybrid) and describes how the security controls are implemented or planned to be implemented including a rationale for any tailoring and supplementation decisions

  • Identifies the controls tailored out/in/modified as approved by the DAO

  • Identifies any exceptions; i.e., a control or part of a control that is not or cannot be met and is an accepted risk by the DAO. Exceptions shall also be included in the POA&M.

  • Approved by the DAO ICW the SCA prior to the plan implementation

Click here to enter text.



Distributes copies of the plan and communicates subsequent changes to the plan to all required stakeholders, to include the DAO




Reviews the security plan at least annually or when required due to system changes or modifications




Updates the plan to address changes to the IS/operations environment or problems identified during plan implementation or security control assessments




Protects the security plan from unauthorized disclosure and modification




CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.18.2.1PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization plans and coordinates security-related activities affecting the IS with all relevant organizations or groups before conducting such activities in order to reduce the impact on other organizational entities.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.18.3PL-4 – Rules of Behavior





Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Rules of Behavior are addressed as part of user security awareness and training. See Security Training [AT-3]. Signed acknowledgement of the rules of behavior is covered via user access agreements. See User Agreements [PS-6]. The rules of behavior are also referred to as the Acceptable Use Policy (AUP). See the DAA PM for a list of the minimum responsibilities of a General User.

The organization:

Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage

Click here to enter text.



Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system

Click here to enter text.

Reviews and updates the rules of behavior at least annually

Click here to enter text.

Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.18.3.1PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.18.4PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2

10.18.5PL-6 – Security-Related Activity Planning – WITHDRAWN Incorporated into PL-2

10.18.6PL-8 – Information Security Architecture– NEW BASELINE





Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



This control can be met through detailed descriptions in the SSP of the system overview, system environment, facility diagram, network architecture, system diagram, and system connectivity.

The organization:

Develops an information security architecture for the IS that: describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity and availability of organizational information; describes how the IS architecture is integrated into and supports the enterprise architecture; and describes any information security assumptions about, and dependencies on, external services

Click here to enter text.



Reviews and updates the information security at least annually or when changes to the IS or its environment warrant to reflect updates in the enterprise architecture

Click here to enter text.

Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS) (if appropriate), and organizational procurements/acquisitions

Click here to enter text.

Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.18.6.1PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization designs its security architecture using a defense in depth approach that allocates security safeguards based on security impact to Program IS; and ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.18.6.2PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization requires that equipment and services to meet the security safeguards based on security impact to Program IS and its operational environment are obtained from different suppliers.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.



Yüklə 1,92 Mb.

Dostları ilə paylaş:
1   ...   17   18   19   20   21   22   23   24   ...   29



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət
gir | qeydiyyatdan keç
    Ana səhifə
Dərs
Dərslik
Guide
Kompozisiya
Mücərrəd
Mühazirə
Qaydalar
Referat
Report
Request
Review

yükləyin