This is an introduction to the NIST Special Publication 800-18, System Security Plan. We walk through why you need a System Security Plan and some of the main elements of the System Security Plan.
#SSP, #NIST,#systemsecurity,#security,#rmf
system security plan
6 Tips for Executive Summaries
I wrote a terrible executive summary for our security authorization package. My manager and our customer called me out on it. There were misspelling and grammatical errors. Needless to say, I was embarrassed. I essentially cranked out a draft and posted it live. Huge mistake. The immediate backlash I received was a humiliating reminded of the importance of executive summaries. As I rewrote the executive summary, I started to think that its time to go back to school on my documentation skill set. I started to ask myself, what is an executive summary? Why do we need one? And what is important within executive summaries? I boiled it down to 6 tips.
6 Tips for Executive Summaries:
Write Executive Summaries to your audience – There are many documents that have executive summaries. Just to name a few: legal documents, business plans, proposals, investments proposals, policies, standards and of course system security plans all usually have executive summaries. Each of these executive summaries serve a different purpose. For business and investment proposals executive summaries should have a quick impact to convince the reader to keep reading the rest of the document. For a system security plan or system authorization package, you are highlighting main points of the package realizing that the reader may not be able to read 100% of the documentation. The intent of the executive summary must be explained in the language of the audience you are speaking to.
Audience language – Remember who you are writing to. The majority of people reading your technical document will not be technical and they may not even be completely familiar with your field of expertise. The executive summary is especially for managers, decision makers, authorizing officials and CEO types who are normally busy paper pushing in their ivory towers. They are arm chair warriors that probably used to know all about what you do but now they have more money than time. If you are hoping to impress the reader by expressing your technical knowledge with words that only mean something to other egg heads, then you are wrong. The executive summary is not the area you want to do this in. If anything, you want to express highly technical data in layman’s terms (where possible), which is the true mark of a great mind. Also, most very technical readers who are already in the weeds of your subject matter will probably skip the executive summary anyway since they already know the 101 stuff. The executive summary is the lure to make them bite so you can reel them in. The rest of the document is going to be where you skin them and gut them with facts and stats. By the time they get to the conclusion, you can put a fork in them because they are done… their goose is cooked.. ok.. i am done.. because if they cannot take the heat they should get out of the kitchen.. ok.. NOW, I am done.
Summarize all the main points – One thing all executive summary types have in common is that they outline the document that they proceed. So it is an overview of all of the main points of the remaining document which is why the executive summary is sometimes the last thing you write.
Leave a good impression – Since the executive summary is the first thing your reader will see, it is important to grab their attention, highlight main points and get it right the first time. For Entrepreneurs presenting a business plan, a shoddy or even mediocre executive summaries with no impact is a waste of time. In the same way that a bad executive summary in my security authorization package hurt the credibility of the rest of our system’s security plan. Remember, the people reading this are usually manager types. They walk a tight-rope in a world of words and political slippery slopes, and for them perception is reality. They assume that if the executive summary is bad, then you must be the anti-christ.
Get to the point – Being concise is important for security authorization packages, security plans and other technical executive summaries. Keep in mind that the types of reader that actually need an executive summary are very busy people. They do not have time for fluff. Get to the point as efficiently as possible.
Proof Read it and Peer Review it – The last thing you need to do is to re-read what you wrote. Spell check it, double check each sentence and have someone else read it to make sure it is accurate and written well.
In my (recent) experience, the really terrible thing about writing a bad executive summary is that I have written a lot of these for business and technical packages. Once you have all of the material, they are pretty easy. Having a manager correct me on basic stuff was a real slap in the face. Don’t let this happen to you. You are better than that. Your project and/or product deserves more.
references and other places to get more info on Executive Summaries:
“Writing Guide: Executive Summaries”. Colorado State University. Retrieved 13 June 2011.
Jump up to:a b c d e f “Executive Summary”. Howe Writing Initiative. Miami School of Business. Farmer School of Business. Retrieved 13 June 2011.
http://www.iea.org/textbase/npsum/weo2009sum.pdf
http://en.wikipedia.org/wiki/Executive_summary
info assurance
Info assurance is a comprehensive approach to information security. It included risk management, information protection, operational risk, business risk, assurance technology and much more.
More on “What is Info Assurance”?
Information assurance is the practice of assuring the confidentiality, integrity and availability of the processing, storing and/or transmission of data. Information assurance is used as a more complete approach to information security.
Since Info Assurance covers all aspects of the security, all individuals with internal access to an organizations critical access must get info assurance awareness training. Info Assurance is not just about turning on and configuring Assurance technology, but informing and educating those how have internal access to your system.
Info Assurance has its own complete common body of knowledge, industry, career path and degree programs accepted by the National Center of Academic Excellence in Information Assurance Education and those approved by the National Security Agency.
By becoming an info assurance specialist you can get work in many parts of the DoD including USAF, US Army, Department of the Navy and many other agencies. But IA jobs expect specific certification(s), experience and degree. The IA qualifications come from DoDD 8570 which is being replaced with DoDD 8140. There are lots of titles that are considered within IA: System Security Engineer, Info Assurance Analyst, Info Assurance Specialist, Info Assurance Subject Matter Expert (SME), Risk Analyst IT, and many others.
risk assessment reports
Risk Assessment Reports (RAR) also known as the Security Assessment Report (SAR) is an essential part of the DIARMF Authorization Package. This document can be done at anytime after the system is implemented (DIARMF Process step 3) but must be done during DIARMF step 4, Assess for the risk identification of the system. The Authorization Package consists of the following (but is not limited to):
- System Security Plan (SSP) – “Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.” — NIST SP 800-18. This document provides over all system characterization and control analysis for the system. More on Security Plan – NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems
- Plan of Action and Milestone (POA&M pronounced PO’AM) – “A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.” — NIST SP 800-18. After the DIARMF Assessment the POA&M is accomplished to address the residual risks that could not be properly mitigated.
- Risk Assessment Report / Security Assessment Report (RAR/SAR) – “The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact.” — NIST SP 800-18. Form more see NIST SP 800-30, Guide for Conducting Risk Assessments.
- Artifacts – Supporting documents that provide evidence that certain security feature and/or programs exist.
NIST SP 800-30, guide on risk assessment, breaks down what should be in a risk assessment report / security assessment report in appendix K, RISK ASSESSMENT REPORTS ESSENTIAL ELEMENTS OF INFORMATION
The risk assessment report / security assessment report results provide decision makers (system owners & authorization officers) with some idea of the risks that will be imposed upon the organization, asset, individuals in the organization, associates of the organization and in some cases the Nation.
The risk assessment report / security assessment report is broken into three parts:
- Executive Summary (audience Managers) – the executive summary gives a brief high-level view of the overall risk assessment. It lists the dates of the risk assessment, summarized the purpose and scope and gives a quick idea of the finding.
- Body of the Report (audience Security Practitioners) – fills out the details of the findings. In addition to detailing the who, what, when, where and how of the risk assessment, it goes int specific information technology issues. Since it is mentions specific IP addresses and associated vulnerabilities, it must be considered confidential. The RAR/SAR may describe how vulnerabilities can be exploited and what was done to fix the weakness to limit the risk.
- Supporting Appendices – may include actual raw network vulnerability scans. References & glossary.
risk assessment report
Template of Risk Assessment Report/Security Assessment: Risk assessment report_Example
risk management framework steps
The risk management framework steps are detailed in NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.
The DoD has recently adopted the Risk Management Framework steps (called the DIARMF process). There are 6 step: Categorize, Select, Implement, Assess, Authorize and Continuous Monitor.
risk management framework – Step 1. Categorize
The first risk management framework step is categorization. This step consists of classifying the importance of the information system. This is done by the system owner with FIPS 199 and NIST 800-60.
Categorization is based on how much negative impact the organization will receive if the information system lost is confidentiality, integrity or availability.
risk management framework – Step 2. Select
With FIPS 200 and NIST SP 800-53, the organization responsible for the systems security will select the security controls required to limit the risk to their organization. The selection of the controls is based on the categorization of your system. A system security plan is created as a guide to what will be installed and/or configured on the system.
More on DIARMF – Select
risk management framework – Step 3. Implement
Using the System Security Plan, the organization responsible for the categorized system can begin risk management framework step 3. This step is implementation which is installation and configuration of security patches, hotfixes and security devices where necessary. Guidance for actual implantation has to come from technical manuals, system administrators, system engineers and others technically competent enough to do the work.
More on DIARMF – Implement
risk management framework – Step 4. Assess
The organization has to make sure that the security controls are implemented properly. This is done in risk management step 4, assess. Using NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations is used to determine which controls have been fully implemented to limit the risks to the organization.
More on DIARMF – Assess
risk management framework – Step 5. Authorize
Even after implementation and assessment of the security controls that limits the over all risk to the organization, there is some remaining (residual) risk. The organization must have someone who has enough authority of over the system to accept the residual risk. This person is known as the Authorizing Official.
In risk management framework step 5, an Authorizing Official makes a formal, written acceptance of the risks. The AO makes a decision on whether or not to accept the risk based on the authorization package. The authorization package consists of the system security plan, plan of action and milestone, security/risk assessment report and any other supporting documents.
More on DIARMF – Authorization
risk management framework – Step 6. Continuous Monitoring
After acceptance of risk by the organization, they must develop a program that monitors the ongoing changes to the systems security posture. They take a proactive approach to watching for advanced persistent threats, configuration changes and new vulnerabilities. Risk management framework step 6 handles all of this.
More on DIARMF – Continuous Monitoring