The purpose of a system security plan (SSP) is to provide an overview of the security requirements of a network system and infrastructure. The SSP describes the security controls that most be in place, individual responsibilities and expected behavior of all individuals who has access to the system network. The system security plan should be viewed as documentation of the structured process of planning a adequate cost-effective security protection program for a network system (Kirby, 2003). Network security shouldn’t be a one size fits all approach. SSP’s should reflect the input from various managers who are responsible for the security of the system. Responsible parties would include information owners, system operators, and the system security managers.
A SSP is a requirement of the Office of Management and Budget (OMB) Circular A-130 (Swanson, 2006). All SSP’s must document who reviewed the plans, who keeps the plan current, and who follows up on future planned security controls. The SSP must ensure all parties involved understand their roles and responsibilities. Red Clay field office requires different security measures so they require different security plans.
Each field office have their own network infrastructure built on CISCO branded equipment Virtual Private Network (VPN); wired and wireless local area networks, wireless access points, switches, a premise firewall, and intrusion detection system (King 2018). All field offices collect and store personal identifiable information (PII) on their networks systems. A SSP is imperative for field managers to keep control over individuals who access that particular field office system and to keep control over the PII and sensitive information transmitted and stored on the systems. Furthermore, each office will require its own representative who is responsible for the privacy of its information.
According to SC Media, the most cost effective way to implement a successful SSP is to:
Estimate the value of the information you’re trying to protect (e.g. your company’s sensitive data).
Estimate the probability that each information set will be breached. Assign each information set a vulnerability score, based on its probability of being attacked.
Prioritize the information sets by developing a grid, ranging from low value/low vulnerability to high value/high vulnerability. For each box inside the grid, calculate the potential loss by multiplying the information’s value by its probability of a breach.
With a completed grid laying out the potential loss values for each information set, you can identify which ones are most crucial to spend your money on.
Every business is different and every business security needs are different. This, security plan needs to reflect the needs of the organizational. Simultaneously, every security plan has the same goal; preventing unwelcome parties from stealing or changing data. Creating a SSP is not convenience and may cost the organization to establish but, the consequences of n not having a SSP could cost Red Clay Renovations significantly more monetarily if a calamity in security taints its reputation.
King, V. (2016, April). Company Profile. In Red Clay Renovation.
Kirby, M. (2003, March). System Security Plan Development Tool Step by Step Guide. In SANS.
Swanson, M., Hash, J., & Bowen, P. (2006, February). Guide for Developing Security Plans for Federal Information Systems. In NIST Special Publication 800-18 Revision 1.
Whats a Good Cybersecurity Budget And How Do I Get It?. SC Media. (2017, July 27).
Reply to Thread