SSP Security System Plan/ powerpoint presentation
yber Defense Analysis
System Security Plan (SSP) Guideline for CMI Presentation
Most of the guidance for creating a System Security Plan is aimed at large Federal Government organizations and
contractors. These publications include the FEDRAMP Cloud SSP Guide, NIST Special Publications 800-18 r1, and 800-
1711
. But this guidance may also be used by the private sector and a smaller organization such as CMI. In fact, the
majority of materials downloaded from NIST are from private sector requestors. But a full SSP process can be quite
laborious. It involves;
1. Listing a large volume of basic organizational information such as authorization, contacts, mission, and
applicable law & regulation,
2. Determining of the boundaries of the information technology system including applications, technical operating
environment [hardware, software, data & communications], interconnections, information sharing, physical
locations & containment, personnel involved, and processes for use,
3. System Categorization, i.e. determining levels of confidentiality, integrity, & availability (CI&A) for the system
using [low, moderate, high] labels, and
4. Applying a specific set of controls, i.e. defensive measures, termed Low, Moderate or High, for the set of CI&A.
These controls are set by NIST and listed separately for systems classified as Low, Moderate, or High. Federal
government organizations must comply with applying those specific types of controls to those systems.
5. A Plan of Action and Milestones to assure that the organization is brought up to required levels of security and
maintained at those levels.
Modified Approach for CMI
With CMI, a moderate sized commercial organization, a modified approach is justified. Such an approach would include
a;
A. Brief Description of the organization
B. Brief Description of the system(s) or technology(s) under review and their requirements in CI&A.
C. Summary of Systems Threat, Vulnerability, Impact and Likelihood (TVIL) findings,
D. Selection of Controls to be applied to their systems for CI&A given their TVIL, and
E. Brief outlook on expected implementation timetable and resources for maintaining assurance.
An SSP writer should attempt to incorporate organizational activities supporting cyber security explored thus far in the
course into the plan. Figure 1 below demonstrates this. More detail requirements follow the figure.
Figure 1- Integration of Previous Assignments into an SSP
1
a. FEDRAMP SSP Moderate Baseline for Cloud Template https://www.fedramp.gov/assets/resources/templates…
b. For a government SSP: NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistsp…
c. For a contractor SSP: NIST SP 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
https://nvlpubs.nist.gov/nistpubs/SpecialPublicati…
Your presentation should be structured similarly to the outline above.
Viewpoint
In presenting this report you should take a specific viewpoint toward the SSP’s area of concern, choosing any one of the
following:
1. Selection of a specific technology area, e.g. Wireless, with its TVIL findings and CI&A requirements, and then the
expected effects of applying security controls across selected application systems using wireless technology.
2. Selection of a specific functional area, e.g., Accounting, Personnel or Marketing, then outlining the requirements
and effects of applying security controls across all of the applications & technology in use in that area.
3. A complete CMI cross cut of security application on all systems, infrastructure, TVIL and Controls across the
entire organization given findings and CI&A requirements.
You will need to specify this up front in your Executive Summary along with the Organization level material.
Determining/ Describing system boundaries
Most organizations employ many different automated information technology systems composed of people, processes,
and technology for accomplishing their goals. So an organization will have, for example, a payroll system, an accounting
system, a product inventory system, and a sales recording system. These systems may be housed in different locations,
on different internal or external vendor hardware, in clouds, or on mobile devices. There are many potential system and
sub-system variations. For example within a sales department they may be operating a scheduling app with customers,
traditional productivity apps – word processing, spreadsheets etc, a travel app, perhaps a web based app like Salesforce,
and coordinating content for advertising,
For CMI you should specify 1) the applications they are running and 2) the infrastructure on which it operates.
Confidentiality, integrity, & availability
For CMI the current environment is less complex. From a network viewpoint it may be seen as one system. However,
from an audit standpoint, transactions in the accounting function would be viewed differently from transactions in the
customer service or credit departments. Each will employ different applications and likely be operating on different
hardware processors. This must be considered when determining what controls should be applied. Typically,
confidentiality is more often an issue with personnel records, integrity with financial records, and availability with
customer service. Controls that might be applied tend to fall within categories such as the following:
Confidentiality: Encryption, Access Control
Integrity: Certificates, Hashing, Audit
Availability: Network up time, Backups
Keep this in mind as criteria when selecting controls.
Systems Threat, Vulnerability, Impact and Likelihood (TVIL) Findings
A good part of this course was spent examining vehicles for discovery of threats & vulnerabilities. Controls should be
identified that will mitigate the specific TVIL identified.
nMap: port issues, Unidentified Devices on the Network
Nessus: Software Vulnerabilities
Wireshark: Potentially Malicious Network traffic
Penetration Testing Discoveries using specialized query tools, audit and social engineering
Risk Assessment Discoveries
Your presentation should include a summary of the threats & vulnerabilities discovered or hypothesized for CMI.
Determining & Applying Defensive Controls
For most security shortfalls there is a solution. These solutions fall into the general categories of people, process, and
technology. Yu 2 and others have formulated a Matrix approach, called the Cyber Defense Matrix (CDM) toward
mapping the controls to the area of challenge. It utilizes the common elements of Information Systems [Devices, Data,
2 Yu, S. (2019) The Better Cyber Defense Matrix. RSAConference. https://published-
prd.lanyonevents.com/published/rsaus19/sessionsFiles/14226/STR-T09-Cyber-Defense-Matrix-Reloaded_POSTABLE_VERSION.pdf
etc.] along with the functions of cybersecurity [Identify Protect Detect Respond Recover] as defined in the Cyber Security
Framework3
.
Figure 2, below, from Yu (2019) illustrates this concept. So for a network that is prone to malicious activity, a
requirement exists to detect malicious activity on devices and in the network. Examining the matrix below we see
Endpoint Detection & Response, along with DDOS mitigation as suggested defensive measures.
Figure 2 Mapping of Cyber Solutions in a Cyber Defense Matrix (CDM). Source: Yu, S. 2019
In his presentation Yu outlines a number of other uses for the matrix. One of those extensions is the use of the CIS Top
20 within the CDM framework. See it applied in Figure 3, below. For network detection we see controls 6.1-8 apply as
well as 11.3, 12.2 etc. As an example, CIS 6.1 is:
6.1
Utilize Three Synchronized
Time Sources
Use at least three synchronized time sources from which all servers and network devices
retrieve time information on a regular basis so that timestamps in logs are consistent.
One hundred seventy specific numbered defenses may be found in a spreadsheet “CIS Top 20 Cybersecurity Controls
Detail.xlsx” located in Modules 8 on the Google Drive. You should download the spreadsheet and examine the controls.
Figure 3- Cyber Defense Matrix for CIS Top 20 Security Controls
Many of your module readings were Lecturettes and associated articles on a variety of challenges in cybersecurity
including Wireless, Web, Authentication, Malware Analysis, etc. In each of these lecturettes, solutions to these
challenges were discussed and could be applied to the issues facing CMI. There are many sources for controls. Do not
feel constrained to explore other options.
Use the controls you found relevant in your Risk Assessment, along with those outlined in the Lecturettes, in the
articles and finally also those that may be found in the CIS Top 20. Optionally you may locate specific vendors by
3 NIST Cyber Security Framework (2018). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.0…
referring to the TAG Group’s Vendor List4
that is located on the Google drive under Module 8, or by performing an
online search.
Presentation
Your 10-20 PowerPoint slides should follow the organization/sections of the SSP in Figure 1, above. It should be
amalgamated with an oral addition using PowerPoint, Voice Thread or any other video & oral capture
application that places it into a common format such as wmv, wmf or mp4.
The presentation should be deposited into the Grade Book with a link to the full audio/video if deposited in
some other location.
The PowerPoint presentation must be supplemented by annotation for each slide, i.e. notes that support or
explain the slide as if a non-hearing person wished to capture the speaker’s thoughts or a non-sighted person
could follow along