Many more videos on https://www.youtube.com/convocoursesshort videos at https://www.tiktok.com/@convocourses?lang=enand https://www.instagram.com/convocourseqs/https://www.facebook.com/ConvoCourses-108091850619388Podcast version of the content:https://podcasts.apple.com/us/podcast/convocourses/id1500188278http://www.nist80037rmf.com/google_podcast
This is an introduction to the NIST Special Publication 800-18, System Security Plan. We walk through why you need a System Security Plan and some of the main elements of the System Security Plan.
I wrote a terrible executive summary for our security authorization package. My manager and our customer called me out on it. There were misspelling and grammatical errors. Needless to say, I was embarrassed. I essentially cranked out a draft and posted it live. Huge mistake. The immediate backlash I received was a humiliating reminded of the importance of executive summaries. As I rewrote the executive summary, I started to think that its time to go back to school on my documentation skill set. I started to ask myself, what is an executive summary? Why do we need one? And what is important within executive summaries? I boiled it down to 6 tips.
6 Tips for Executive Summaries:
Write Executive Summaries to your audience – There are many documents that have executive summaries. Just to name a few: legal documents, business plans, proposals, investments proposals, policies, standards and of course system security plans all usually have executive summaries. Each of these executive summaries serve a different purpose. For business and investment proposals executive summaries should have a quick impact to convince the reader to keep reading the rest of the document. For a system security plan or system authorization package, you are highlighting main points of the package realizing that the reader may not be able to read 100% of the documentation. The intent of the executive summary must be explained in the language of the audience you are speaking to.
Audience language – Remember who you are writing to. The majority of people reading your technical document will not be technical and they may not even be completely familiar with your field of expertise. The executive summary is especially for managers, decision makers, authorizing officials and CEO types who are normally busy paper pushing in their ivory towers. They are arm chair warriors that probably used to know all about what you do but now they have more money than time. If you are hoping to impress the reader by expressing your technical knowledge with words that only mean something to other egg heads, then you are wrong. The executive summary is not the area you want to do this in. If anything, you want to express highly technical data in layman’s terms (where possible), which is the true mark of a great mind. Also, most very technical readers who are already in the weeds of your subject matter will probably skip the executive summary anyway since they already know the 101 stuff. The executive summary is the lure to make them bite so you can reel them in. The rest of the document is going to be where you skin them and gut them with facts and stats. By the time they get to the conclusion, you can put a fork in them because they are done… their goose is cooked.. ok.. i am done.. because if they cannot take the heat they should get out of the kitchen.. ok.. NOW, I am done.
Summarize all the main points – One thing all executive summary types have in common is that they outline the document that they proceed. So it is an overview of all of the main points of the remaining document which is why the executive summary is sometimes the last thing you write.
Leave a good impression – Since the executive summary is the first thing your reader will see, it is important to grab their attention, highlight main points and get it right the first time. For Entrepreneurs presenting a business plan, a shoddy or even mediocre executive summaries with no impact is a waste of time. In the same way that a bad executive summary in my security authorization package hurt the credibility of the rest of our system’s security plan. Remember, the people reading this are usually manager types. They walk a tight-rope in a world of words and political slippery slopes, and for them perception is reality. They assume that if the executive summary is bad, then you must be the anti-christ.
Get to the point – Being concise is important for security authorization packages, security plans and other technical executive summaries. Keep in mind that the types of reader that actually need an executive summary are very busy people. They do not have time for fluff. Get to the point as efficiently as possible.
Proof Read it and Peer Review it – The last thing you need to do is to re-read what you wrote. Spell check it, double check each sentence and have someone else read it to make sure it is accurate and written well.
In my (recent) experience, the really terrible thing about writing a bad executive summary is that I have written a lot of these for business and technical packages. Once you have all of the material, they are pretty easy. Having a manager correct me on basic stuff was a real slap in the face. Don’t let this happen to you. You are better than that. Your project and/or product deserves more.
references and other places to get more info on Executive Summaries:
“Writing Guide: Executive Summaries”. Colorado State University. Retrieved 13 June 2011.
Risk Assessment Reports (RAR) also known as the Security Assessment Report (SAR) is an essential part of the DIARMF Authorization Package. This document can be done at anytime after the system is implemented (DIARMF Process step 3) but must be done during DIARMF step 4, Assess for the risk identification of the system. The Authorization Package consists of the following (but is not limited to):
- System Security Plan (SSP) – “Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.” — NIST SP 800-18. This document provides over all system characterization and control analysis for the system. More on Security Plan – NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems
- Plan of Action and Milestone (POA&M pronounced PO’AM) – “A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.” — NIST SP 800-18. After the DIARMF Assessment the POA&M is accomplished to address the residual risks that could not be properly mitigated.
- Risk Assessment Report / Security Assessment Report (RAR/SAR) – “The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact.” — NIST SP 800-18. Form more see NIST SP 800-30, Guide for Conducting Risk Assessments.
- Artifacts – Supporting documents that provide evidence that certain security feature and/or programs exist.
NIST SP 800-30, guide on risk assessment, breaks down what should be in a risk assessment report / security assessment report in appendix K, RISK ASSESSMENT REPORTS ESSENTIAL ELEMENTS OF INFORMATION
The risk assessment report / security assessment report results provide decision makers (system owners & authorization officers) with some idea of the risks that will be imposed upon the organization, asset, individuals in the organization, associates of the organization and in some cases the Nation.
The risk assessment report / security assessment report is broken into three parts:
- Executive Summary (audience Managers) – the executive summary gives a brief high-level view of the overall risk assessment. It lists the dates of the risk assessment, summarized the purpose and scope and gives a quick idea of the finding.
- Body of the Report (audience Security Practitioners) – fills out the details of the findings. In addition to detailing the who, what, when, where and how of the risk assessment, it goes int specific information technology issues. Since it is mentions specific IP addresses and associated vulnerabilities, it must be considered confidential. The RAR/SAR may describe how vulnerabilities can be exploited and what was done to fix the weakness to limit the risk.
- Supporting Appendices – may include actual raw network vulnerability scans. References & glossary.
Template of Risk Assessment Report/Security Assessment: Risk assessment report_Example