>>CASE STUDY IS ATTACHED<< 

>>PLEASE REVIEW THE ENTIRE ASSIGNMENT BEFORE BIDDING<<

>>TEMPLATE AND SECURITY CONTROLS ARE ATTACHED<<

>>DO NOT BID UNLESS YOU UNDERSTAND NIST PUBLICATIONS, IT SECURITY AND CAN REVIEW, THEN TIE IN CASE STUDY INFORMATION<<

Project #3: System Security Plan

Company Background & Operating Environment

The assigned case study and attachments to this
assignment provide information about “the company.”

· 
Use the Baltimore field office as the target for
the System Security Plan

· 
Use Verizon FiOS as the Internet Services
Provider (see http://www.verizonenterprise.com/terms/us/products/internet/sla/
)

Policy Issue & Plan of Action

A recent risk assessment highlighted the need to
formalize the security measures required to protect information, information
systems, and the information infrastructures for the company’s field offices. This
requirement has been incorporated into the company’s risk management plan and the
company’s CISO has been tasked with developing, documenting, and implementing
the required security measures. The IT Governance board also has a role to play
since it must review and approve all changes which affect IT systems under its purview.

The CISO has proposed a plan of action which includes
developing system security plans using guidance from NIST SP-800-18 Guide for Developing Security Plans for
Federal Information Systems. The IT Governance board, after reviewing the
CISO’s proposed plan of action, voted and accepted this recommendation. In its
discussions prior to the vote, the CISO explained why the best practices
information for security plans from NIST SP 800-18 was suitable for the
company’s use. The board also accepted the CISO’s recommendation for creating a
single System Security Plan for a General Support System since, in the
CISO’s professional judgement, this type of plan would best meet the “formalization”
requirement from the company’s recently adopted risk management strategy.

Your Task Assignment

As a staff member supporting the CISO, you have been
asked to research and then draft the required system security plan for a General
Support System. In your research so far, you have learned that:

· 
A general support system is defined as “an
interconnected set of information resources under the same direct management
control that shares common functionality.” (See NIST SP 800-18)

· 
The Field Office manager is the designated system owner for the IT support systems
in his or her field office.

· 
The system
boundaries for the field office General
Support System have already been documented in the company’s enterprise
architecture (see the case study).

· 
The security
controls required for the field office IT systems have been documented in a
security controls baseline (see the controls baseline attached to this
assignment).

Research:

1. 
Review the information provided in the case
study and in this assignment, especially the information about the field
offices and the IT systems and networks used in their day to day business
affairs.

2. 
Review NIST’s guidance for developing a System
Security Plan for a general support IT System. 
This information is presented in NIST SP 800-18. http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf
Pay special attention to the Sample
Information System Security Plan template provided in Appendix A.

3.  Review
the definitions for IT Security control
families as documented in Federal Information Processing Standard (FIPS)
200: Minimum Security Requirements for
Federal Information and Information Systems (see section 3).

4. 
Review the definitions for individual controls as
listed in Appendix F Security Control
Catalog in NIST SP 800-53 Security
and Privacy Controls for Federal Information Systems and Organizations. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdfYou should focus on those controls
listed in the security controls baseline provided with this assignment.

Write:

1.  Use the following guidance to complete the
System Security Plan using the template from Appendix A of NIST SP 800-18.

a. 
Sections 1 through 10 will contain information
provided in the assigned case study. You may need to “interpret” that
information when writing the descriptions. 
“Fill in the blanks” for information about the company or its managers
which is not provided in the case study, i.e. names, email addresses, phone
numbers, etc.). Make sure that your fictional
information is consistent with information provided in the case study (name
of company, locations, etc.).

b. 
Section 11 should contain information about the
field office’s Internet connection Do not include the table. Use the business Internet Services Provider
listed at the top of this assignment file. Describe the system interconnection
type in this section and service level agreement.

c. 
Section 12 should contain information derived
from the case study. You will need to identify the types of information
processed in the field office and then list the laws and regulations which
apply. For example, if the case study company processes or stores Protected Health Information, then this
section must include information about HIPAA. If the company processes or
stores credit card payment information, then this section must include
information about the PCI-DSS requirements.

d. 
Section 13 of the SSP will take the most editing
time. Use the information about required
security controls as provided security controls baseline.

 
i. 
Create 3 sub sections (13.1 Management Controls,
13.2 Operational Controls, and 13.3 Technical Controls). You must provide a
description for each category (see the definitions provided in Annex 11.B Minimum Security Controls in NIST SP
800-100 Information Security Handbook: A
Guide for Managers).

 
ii. 
Using the information provided in the security
controls baseline, place the required control families and controls under the
correct sub section.

 
iii. 
Use the exact names and designators for the
security control families and individual security controls. BUT, you MUST paraphrase
any and all descriptions. Do NOT cut and paste from NIST documents.

e. 
Section 14: use the due date for this assignment
as the plan complete date.

f. 
Section 15: leave the approval date blank. You
will not have any other text in this section (since the plan is not yet
approved).

2. 
Use a professional format for your System
Security Plan. Your document should be consistently formatted throughout and
easy to read.

3. 
Common phrases do not require citations. If
there is doubt as to whether or not information requires attribution, provide a
footnote with publication information or use APA format citations and
references.

4. 
You are expected to write grammatically correct
English in every assignment that you submit for grading. Do not turn in any
work without (a) using spell check, (b) using grammar check, (c) verifying that
your punctuation is correct and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.

GRADING RUBRIC:

System Security
Plan

Sections 1 – 8 (System Identification)  10 points

Sections 1 – 8 present a thorough and complete
identification of the system (Field Office General IT Support), the responsible
individuals, and the system status. Key personnel (Section 5) roster contains
three or more appropriate designated officials.

Section 9: System Description / Purpose  10 points

Provided an excellent description of the Field Office
General IT Support System. Integrated case study information to describe the
business operations supported by the hardware, software, and networks which
comprise the “General IT Support” system. Included information about
the types and sensitivity of information processed by this system. Described
the “smart home” and “Internet of Things” capabilities
which are supported by the field office IT systems.

Section 10: System Environment  10 points

Provided an excellent description of the enterprise
architecture for the Field Office General IT Support System. Integrated case study
information to clearly and accurately describe the hardware, software, and
networks which comprise the “General IT Support” system. Included
information about the devices and controllers used for the “smart
home” and “Internet of Things” capabilities which are used by
the field office.

Section 11: System Interconnections / Information Sharing  10 points

Used information from the case study to identify (name) 5 or
more interconnected systems and networks (including the LAN/WAN network
connections between the field office and the operations center). Provided an
excellent description for each that included the types and sensitivity levels
of information transmitted over the connection (e.g. company proprietary
information, customer information, public Internet information). Named the
“owning” organization and responsible ISSO.

Section 12: Related Laws / Regulations / Policies  10 points

Provided an excellent overview of laws, regulations, and
policies which establish specific requirements for the confidentiality,
integrity, and availability of the data collected, processed, and/or stored in
the Field Office General IT Support System. Named and described the
applicability of 5 or more federal or state laws and regulations. Identified
and described at least one internal policy which applies to the use of this
system.

Section 13: Introduction for Minimum Security Controls5 points

Provided an excellent introduction for Section 13: Minimum
Security Controls. Discussed the differences between management, operational,
and technical categories of security controls. Used information from the case
study and NIST SP 800-53.

Section 13 (a) Minimum Security Controls: Management
Controls Category  10 points

Used the provided security controls baseline for the case
study company. Named and described each of the required control families (e.g.
CA) listed under the “management controls” category (in the baseline)
using information from NIST SP 800-53. For each “family” listed in
the baseline under this category, identified (listed) the specific controls
(e.g. CA-1) and provided a excellent description of how the controls in each
family work together to mitigate threats and vulnerabilities.

Section 13 (b) Minimum Security Controls: Operational
Controls Category  10 points

Used the provided security controls baseline for the case
study company. Named and described each of the required control families (e.g.
AT) listed under the “operational controls” category (in the
baseline) using information from NIST SP 800-53. For each “family”
listed in the baseline under this category, identified (listed) the specific
controls (e.g. AT-1) and provided a excellent description of how the controls
in each family work together to mitigate threats and vulnerabilities.

Section 13 (c) Minimum Security Controls: Technical Controls
Category  10 points

Used the provided security controls baseline for the case
study company. Named and described each of the required control families (e.g. AC)
listed under the “technical controls” category (in the baseline)
using information from NIST SP 800-53. For each “family” listed in
the baseline under this category, identified (listed) the specific controls
(e.g. AC-1) and provided a excellent description of how the controls in each
family work together to mitigate threats and vulnerabilities.

Sections 14-15: Completion & Approval Dates  5 points

Included both sections from the template file (14 & 15)
and entered the completion date for the plan.

Professionalism 

Execution  10
points

Work is professional in appearance and organization
(appropriate and consistent use of fonts, headings, color).

No word usage, grammar, spelling, or punctuation errors. All
quotations (copied text) are properly marked and cited using a professional
format (APA format recommended but not required.)