System Security Planning Policy Guidance
The following article contains guidance explaining portions of the System Access Control Policy that we frequently see questions around, explaining what the sections mean.
Guidance statements will appear in bold and enclosed in brackets “[]” below the statements of the policy.
System Security Planning Policy
[COMPANY NAME]
[This policy is only relevant to NIST SP 800-53]
____________________________________________________________________________
Purpose
To ensure that [COMPANY NAME]’s resources and information systems are established with effective security controls and control enhancements that reflect applicable rules, regulations, guidelines and other obligations.
Policy
System Security Plan (SSP)
[COMPANY NAME] shall:
Develop a security plan for each information system that:
Is consistent with the company’s enterprise architecture;
Defines explicitly the authorization boundary for the system;
[Clearly define the scope of the system, including what components (e.g., hardware, software, networks, people, etc.) are within the system boundary and what are external)
Describes the operational context of the information system in terms of missions and business processes;
Provides the security categorization of the information system including supporting rationale;
[Apply a security categorization based on the system’s confidentiality, integrity, and availability requirements, in accordance with FIPS 199 or NIST SP 800-60]
Describes the operational environment for the information system and relationships with or connections to other information systems;
Provides an overview of the security requirements for the system;
Identifies any relevant overlays, if applicable;
Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions;
[ e.g., Access Control, Encryption, Firewalls. ]
Is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
Distribute copies of the security plan and communicate subsequent changes to the plan to authorized personnel and/or business units.
[How changes to plan will be communicated (e.g., email, intranet updates).]
Review the security plan for the information system at least annually.
Update the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
Protect the security plan from unauthorized disclosure and modification.
Rules for Behavior
[COMPANY NAME] will establish rules for behavior readily and make available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage. Refer to the company’s Code of Conduct policy.
[ In addition to the Code of Conduct Policy, these rules will incorporate other relevant policies, such as the Acceptable Use Policy and Data Handling Policy. ]
Information Security Architecture
[COMPANY NAME] will:
Develop an information security architecture for the information system that will:
Describe the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information.
Describe how the information security architecture is integrated into and supports the enterprise architecture.
Describe any information security assumptions and dependencies on external services.
Review and update the information security architecture no less than annually, to reflect updates in the enterprise architecture.
Ensure that planned information security architecture changes are reflected in the security plan, the security operations and procurements/acquisitions.
Defense In-Depth Approach
[COMPANY NAME] will design security architecture using a defense-in-depth approach that:
[Defense-in Depth is also known as a “layered security” approach where multiple, independent defenses are implemented to protect an organization’s assets, ensuring that if one security measure fails, others continue to provide protection.”
Allocates security safeguards to the following locations and architectural layers:
<LOCATION 1>
<LOCATION 2>
<ARCHITECTURAL LAYER 1>
<ARCHITECTURAL LAYER 2>
+
Will ensure that the security safeguards operate in a coordinated and mutually reinforcing manner.
Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|