AMS Lifecycle Phase: Investment Analysis >>> Initial Investment Analysis

Description

The Information System Security Plan (ISSP) must fully identify and describe the controls currently in place or planned for the system and should include a list of rules or behavior. The existence of, and adherence to, an ISSP is a fundamental requirement in system security certification. The purpose of the ISSP is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements and delineates responsibilities and expected behavior of all individuals who access the system. Once completed, an ISSP will contain technical information about the system, its security requirements, and controls implemented to provide protection against it risks and vulnerabilities.

Further, a system's ISSP acts as a record of the security analysis performed during the mission analysis phase. It provides a place to record the threats that are being considered, the security objectives that are being pursued, and the actual security specifications as they are created. The ISSP should be viewed as an "evolving" document that records the security analysis performed during the course of the requirements generation process. Specific information regarding developing an ISSP can be found in NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems.

The security requirements for enterprise systems should address the following issues:

• the system should not create vulnerabilities or unintended interdependencies in other enterprise systems
• the system should not decrease the availability of other enterprise systems
• the system should not decrease the overall security posture of the entire enterprise
• Systems connected to external domains must analyze and attempt to counter hostile actions originating from these domains
• Security specifications should be appropriate for the given state of the system
• Security specifications should be stated clearly to convey the desired functions and assurances to the enterprise system product team and the developers
• Implement specifications that sufficiently reduce the risks to the enterprise system and to the enterprise mission that the system supports

The Basic Security Policy is the foundation for all security decisions made by the IPTs. The Basic Security Policy provides an overview of the security requirements of the system, and delineates responsibilities and expected behaviors of all individuals who access the system. The Security Policy should reflect inputs from information owners, system operators, and the system security manager.

Management acceptance of the policy should be based on an assessment of management, operational, and technical controls. Since the Security Policy establishes and documents the security framework for the system, it should form the basis for management's authorization.

Note on relationship between ISSP and 800-53 security controls:
The ISSP also outlines the management controls that protect their information system resources. Technical and operational controls, in turn, support the management controls. To be effective, these controls must interrelate.

Management Controls

Are in place or planned measures intended to meet the protection requirement of the information system resources. Management controls focus on the management of the information system and the management of risk for a system. The types of control measures are consistent with the need for protection of the information system resources.

System training and awareness requirements must be identified in the appropriate section as indicated in the template instructions. It is critical to identify the required training / awareness, the frequency it is to be delivered, the personnel who will be required to take it, and the responsible party for training record maintenance.

Operational controls

Are mechanisms that are implemented and executed primarily by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise - and often rely upon management activities as well as technical controls.

Technical controls

Focuses on those security controls executed by the computer system. The controls can provide automated protection from unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data. The implementation of technical controls, however, always requires significant operational considerations and should be consistent with the management of security with the organization.

Tasks

• Develop ISSP based on security requirements
• Determine security requirements for the system
• Determine the 800-53 control for the system assessed
• Define and describe the scope of the system and its boundaries
• Determine who will be the POC for security of the system
• Identify the Security Team and the LOBs involved and ensure commitment

Resources

• OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources
• 44 USC 35, Subchapter II, Federal Information Security Management Act (FISMA)
• Public Law 106-398, Government Information Security Reform Act of 2000 (GISRA)
• NIST Special Publication 800-27, Engineering Principles for IT Security
• NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
• NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
• ATO - Information Systems Security Program Implementation Guide (SCAPs)
• FAA's ISS Handbook