OVERVIEW
A system security plan describes the details of how the security program protects the system. Each component of the security program and how it is implemented is addressed in the system security plan (SSP). You will create a professional cybersecurity deliverable that you are proud of and can potentially use or share with a current or future employer, demonstrating skills learned.
This two-part final project has real-world applicability. First, you will develop a system security plan to demonstrate knowledge of the different factors and topics that need to be addressed in order to successfully establish and implement a comprehensive system security plan within an organization. Then, you will present your system security plan to a management “audience”
INSTRUCTIONS
Part 1: Security Plan
The security plan created will have an emphasis on how you expect to implement the plan, and components (or chapters) should be drafted in various written assignments required throughout the course. This final deliverable must be an 18 page security plan double-spaced in APA format, and it should include at least 10 APA-compliant references (and associated in-text citations). The plan must include the sections listed below.
Introduction and Purpose of the Security Plan
– Description of the organization/system including size, location, and industry
– Purpose of a security plan
Environmental Circumstances
– System interconnections
– Physical security considerations (fences, guards, etc.)
– Natural disasters in the area
– Personnel security requirements
– Legislative or regulatory requirements
Data/Asset and Risk Evaluation
– Identification of assets, threats, vulnerabilities
– Determination of overall risk posture
– Vulnerability management
Access Control/Identification and Authentication (I&A)
– Least privilege
– Segregation of duties
– Access control to facilities and systems
– System accounts and accesses
– Passwords
Auditing
– Tools (SIEM, IDS/IPS, etc.) and sources (system log files, device logs, etc.)
– Frequency and who within the organization would conduct
– What activities are audited (object access failure, etc.)
Media and Communications Protection
– Media types allowed (or disallowed and how that would be implemented)
– Encryption for data at rest and/or data in motion
Configuration Management and Maintenance
– Automated solutions
– Maintenance windows
– Change control
Patch and Flaw Remediation
– Patch research
– Vendor notifications, blogs, e-mail registration
– Relation to malware, zero day exploits
Incident Response
– Team identification
– Plan creation
– Exercise/practice
Disaster Recovery and Business Continuity
– Roles and assignments
– Tests and incorporating corrections/improvements
– Dry runs
Security Awareness and Training
– Initial training
– Refresher frequency
Implementation and Communication
– Barriers to implementation
– Corporate culture, resistance to change, management buy-in
– Create a solution to the implementation challenges expected to be encountered.
Explain the implementation plan.
– Will the program be implemented all at once or in phases?
– Will some components be implemented sooner than others, and what rationale would lead to those decisions?
Construct a plan for communicating the implementation plan to employees.
– Consider initial announcements, reminders, and so forth.