system security plan (SSP), programming homework help

The reason for a system security plan (SSP) is to give an outline of the security prerequisites of the framework and depict the controls set up or planned, duties and expected conduct of all persons who access the system. The SSP should be regarded as documentation of the organized process of planning sufficient, cost-effective security defense for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager (SANS Institute, 2016).

Red Clay Renovations systems use a Virtual Private Network (VPN) connection between the Operations Center and the Field Offices over an internet service provider network. The VPN is utilized to protect the confidentiality and integrity of information conveyed between IT systems positioned in the company’s field offices, headquarters, and operations center.

With the swift speed of business change, this means that information technology (IT) has to be flexible outside of what is needed. Each of the four facilities will have different Access Control (AC) for all employees. Red Clay Renovations must “limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise” (National Institute of Standards and Technology, 2006).

The security categories for AC are established on the potential impact (high, medium, low) on Red Clay Renovations should certain actions occur which threaten the “information and information systems needed by the company to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals” (National Institute of Standards and Technology, 2004).

Red Clay Renovations has a multitude of employees ranging from C-Suite, mid-level, and contractors. To limit these potential impacts Red Clay Renovations AC needs are different at each facility depending on staff and their hierarchy within the company. For example, the Owings Mills facility contains the company’s operations (main data hub) center as well as general offices for the company’s operations. This would have a high impact potential to the confidentiality, integrity, or availability (CIA) of Red Clay Renovations systems if a breach occurred.

Each SSP will not only differ from the above statements but also each facility has different owners of the systems and a person assigned the responsibility, ability, and authority to both oversee the development and maintenance of the web support system as well as being able to interact with the IT support staff that will be maintaining the server(s).

References:

National Institute of Standards and Technology. (2006). Minimum Security Requirements for Federal Information and Information Systems (1st ed., pp. 1-4). Gaithersburg, MD.: U.S. DEPARTMENT OF COMMERCE. Retrieved from http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

National Institute of Standards and Technology. (2004). Standards for Security Categorization of Federal Information and Information Systems (1st ed., pp. 1-3). Gaithersburg, MD.: U.S. DEPARTMENT OF COMMERCE. Retrieved from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

SANS Institute. (2016). SANS: System Security Plan. Sans.org. Retrieved 27 September 2016, from https://www.sans.org/projects/systemsecurity.php