system security Plan SSP programming homework help
A system security plan (SSP) is a plan to establish and improve the protection of information technology (IT) systems and resources. Every system is unique due to the sensitivity level of the information it creates, stores and processes. Therefore we cannot use one system security plan for the systems that the Red Clay Renovations (RCR) owns. The system security plan is a strategic document and it is the foundation of the security program and provides a framework for compliance with security controls and industry regulations (“Cyber Security: The Importance of a Security Plan”, 2011). All systems owned by RCR must have their own system security plan because this will allow us to make sure that unique and generic threats to each system are identified, documented and poetized. This is crucial to defend the system in case a threat occurs because the plan provides the processes and actions to be followed to minimize the impact.
Risk management involves the identification of risks, assessing the risks and execute the strategies to eliminate or minimize the impacts of the risks (CarrersinAudit.com, 2013). A system security plan is risk management framework for a specific IT system. Because RCR collects, stores and processes sensitive and confidential information regarding our clients and vendors it is imperative for every system to have a SSP. The SSP documents the processes and provides guidelines to maintain confidentiality, integrity and availability of systems and the information. Every field office has a unique role within the RCR organization and each field office and system face shared and unique threats. Therefore each field office and the systems hosted and used by them must have their own system security plan.
RCR IT Architecture
The RCRâ€™s infrastructure includes the head office in Wilmington, DE and its operations center is located in Owings Mills, Baltimore. In addition RCR has field offices in downtown Baltimore and suburban Philadelphia. The company operations such as account and finance, customer relations, human resources, IT services, marketing and corporate management are conducted at the operations center in Owings Mills. The operations center also hosts web servers, email servers, applications servers and database servers. The operations center also hosts operators console(s) and connects field office and remote users to the enterprise network via secure VPN connection. Each location including field offices, head quarter and operations center has their own network infrastructure using CISCO equipment such as network switches and wireless access points. The field offices have their own network infrastructure but they use same logical model.
Separate SSP for each field office and system
The operations center has unique role in the organization because it is the hosts of all major enterprise operations. Due to this fact the SSP for operations center needs to be unique as well because the center is located in Owings Mills therefore physical threats to the systems and the facility are different than the HQ and field offices. Every system requires unique configuration including the different server roles provided by the Microsoft and security configuration depends on the role of the server. The server roles enable the intended functionality of the server such as print services, email, file sharing (internal network) and active directory (to authenticate and authorize users to access RCRâ€™s network).
Email server faces unique threats such as spam emails because the volume of it can affect system availability, they can carry viruses and malicious code (Cocca, 2004). The SSP for email servers will specifically discuss these risks, how they can be avoided and if any of these threats occur then how can we minimize their impacts. The NIST SP 800-45 version 2 provides guidelines on electronic mail (email) Security and these guidelines can be used to develop a SSP for email servers.
The webservers host our web applications that control smart home modules and they transmit very sensitive information therefore some threats and risks are different than the email servers. Threats that a web server and application faces include injections such as SQL, OS and LDAP which can trick the server and application to run a malicious commands (“Top 10 2013-Top 10 – OWASP”, 2013). The operations center also manages applications and systems used by accounting & finance, human resource, customer relations, information technology services, marketing and corporate management. These applications and systems require their own SSP depending on the risks and threats they face.
Due to the unique nature of operational role of each field office one SSP cannot suffice proper security controls for every system. Therefore it is necessary and very critical that each field office and system has a unique SSP.
The SSP is a plan that is designed in cooperation with the system owner (field office manager), information owner, CISO, COO, ISSO, and system administrator of RCR. This plan is a structured documentation of plans for security protection of a system. The systems must be identified with their intended role and information they create, store and process. Then the risks and threats must be identified and prioritized. Because each system and field office has a unique role to the overall mission of the RCR there are similar and unique threats. Therefore each field office and system must have a separate SSP. This will help mitigate system and field office specific threats in a timely manner. Because of the unique nature of threats and risks one SSP is not sufficient enough to mitigate and secure every field office and system.
Cocca, P. (2004). Email Security Threats (1st ed., p. 4). GIAC Security Essentials Certification. Retrieved from https://www.sans.org/reading-room/whitepapers/email/email-security-threats-1540
Cyber Security: The Importance of a Security Plan. (2011). L.R. Kimball. Retrieved 23 September 2016, from http://kimball.typepad.com/lrkimball/2011/01/cyber-security-the-importance-of-a-security-plan.html
Top 10 2013-Top 10 – OWASP. (2013). Owasp.org. Retrieved 23 September 2016, fromhttps://www.owasp.org/index.php/Top_10_2013-Top_10