Information System Security Plans - Research Paper Example

Information System Security Plan An Assignment Submitted by Fall Information System SecurityPlan A nation can protect itself from threats and reach the top echelons only if its security system is made optimal and effective without any chance of loopholes. This is where the role of a security plan assumes significance. A foolproof security plan for the nation’s federal agencies and other governmental organizations can enable it to function securely and efficiently thereby giving the nation an ‘edge’ over other nations. That is, once agencies’ security structures and critical information are secured, they can operate without any threats, which in way strengthen the overall defense of the nation, weaken the defense of its enemies, and even orient the nation on the right path of development. Then, with todays rapidly changing political, economic, and importantly technical environment increasing the threat for the federal agencies, it becomes paramount for those agencies to adopt a strong security plan. In that direction, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has developed guidelines on the ways to formulate and adopt a security plan. “NIST SP 800-53 contains the management, operational, and technical safeguards or countermeasures prescribed for an information system” (Swanson, Hash & Bowen, 2006). Among the various parts of the NIST’ security plan, the focus will be on the four sections of General Description, System Environment, Laws, regulations, and policies, and finally Security Control Selection. So, when a federal agency like Department of Defense (DoD) adopts a security plan, these four sections can contribute optimally to the process and so the discussion will about why are these sections are important and how they can be applied in DoD. All federal agencies or systems including DoD reflect some to extreme level of sensitivity and because of that it requires protection for its physical IS system and its virtual data as part of secured and good management practice. In that direction, DoD adopted a risk-focused security plan and guidelines of NIST in 2014 after dropping its longstanding DoD Information Assurance Certification and Accreditation Process (DIACAP). DoD transitioned to NIST considering its effectiveness, in-depth focus and at the same user-friendly nature. “The NIST library of security controls (in NIST publication 800-53 Rev. 4), currently in use at most civilian agencies, are much larger and the controls more granular, yet easier to understand and implement, than DIACAP, say those familiar with both methods” (Marzigliano, 2014). Under the transition plan, DoD has six months from March 12, 2014 to end any new accreditations under the legacy DIACAP process and three-and-a-half years for the full transition to NIST from all the existing DIACAP-based accreditations (Marzigliano, 2014). In that direction, DoD has to formulate security plan. The purpose of system security plan is to chart an overview of the security requirements, analyze the existing controls, find loopholes to plug, come up with newer and updated controls, and so on. As part of this documentation of the structured process of security planning, the function and purpose of the system has to be described. Once the function and purpose of the system is described, relevant and even customized security plan can be formed. Although, NIST standards are applicable to all federal agencies particularly DoD, considering DoD’s role in the formulation of NIST, describing the functioning and purpose of DoD’s IS at the outset can aid in the formulation of effective and pertinent security plan. So, this section of general description is an important and basic step in the designing of the security plan. Speaking of DoD’s, its main purpose and function is coordinating as well as supervising the federal agencies and government’s function that are concerned with national security. It is under the DoD, the three key military divisions of U.S. Department of the Army, Navy, and the Air Force comes under. Apart from these three organizations, DoD coordinate and supervise the four national intelligence agencies or services including the Defense Intelligence Agency (DIA), the National Security Agency (NSA), the National Geospatial-Intelligence Agency (NGA), and the National Reconnaissance Office (NRO) (“Department of Defense: Directive,” 2011). In addition, DoD’s physical structure extends to many acreage. Apart from its main installation of Pentagon, DoD manages number of installations in over 5000 different locations or sites utilizing over 30 million acres of land thereby reflecting its huge physical presence (“About”). Then when it comes to its system environment also, it exhibits sizable presence. Focusing and then detailing about the technical system environment of agencies like DoD is a key component in the formulation of security plan. The technical system environment includes all the physical hardwares and virtual softwares that runs the IS structure or even complements the functioning of the IS structure in DoD. Although, it might be difficult to list and include all those components of the technical system environment, it has to be done to come up with an effective security plan. So, it is obvious that this section of system environment is an important section in the NIST guidelines. When it comes to DoD, its technical system environment is humongous, with hardwares and softwares being added every day. According to 2011 figures, “DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe”(“ Department of Defense Strategy,” 2011). The technical system environment not only includes components in an immobile installation but also extends to defense related vehicles and weapons. So, the NIST standards are applicable to the IS structure that is present in its installations and also mobile components. “It even applies to IT that resides on weapons, in space, on vehicles, on aircraft, or in medical devices (collectively referred to as platform IT), though some forms of platform IT and other unique system types are handled under slightly different procedures and rules” (Marzigliano, 2014). When one focuses on environmental or technical factors that raise special security concerns, DoD is particularly concerned regarding three areas of potential adversarial threats. It includes “theft or exploitation of data; disruption or denial of access or service that affects the availability of networks, information, or network-enabled resources; and destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks or connected system” (“Department of Defense Strategy,” 2011). The above-mentioned adversarial activities can be carried out by enemy or opposition countries and its intelligence agencies as well as by non-state terrorist or commercial groups. In addition, the widespread availability of hacking tools and other sophisticated hardwares and softwares are making it easy for these agencies and groups to have a crack at DoD. The other section of the NIST standards is formulating a security plan which abides by key laws, regulations, or policies. That is, federal, state, and even local laws that protect the privacy and civil liberties of the civilians and even the employees working in the federal agencies like DoD have to be taken care. Although, protecting the national interests appears paramount, it does not have to be at the cost of civil liberties and other ethics, making this an important section. In the case of DoD, it has already incorporated this need to protect privacy and civil liberties as part of its statutes and functioning. “DoD…seeks to mitigate the risks posed to U.S. and allied cyberspace capabilities, while protecting and respecting the principles of privacy and civil liberties, free expression” (“Department of Defense Strategy,” 2011). So, it is obvious that even while adopting the NIST standards, DoD will naturally incorporate the relevant privacy laws and civil liberties laws including the Privacy Act of 1974. The other important section of the NIST guidelines is selecting the necessary or even tailor-made security control. That is, based on the level of threat or risk, ranging from low, moderate or high, the NIST guidelines can be customized or tailored. So, before the security plan is formulated, the threat or risk level has to be analyzed and found out. Then, the relevant or apt security control has to be selected and incorporated as part of the security plan. This functionality or flexibility of NIST is pointed by Marzigliano (2014), who stated, “The NIST security controls can be customized for the defense IT environment, and DISA has already created more than 1,700 Control Correlation Identifiers (CCIs) that make the controls much easier to implement as system design and development requirements”. In line with flexibility, DoD while coming up with their security plan can customize it according to its threat level and other risk factors. The DoD is already doing this even while following the earlier DIACAP process. Now, with the decision to adopt a more flexible and user-friendly NIST guidelines, DoD can customize it more relevantly and effectively. “Department of Defense, for example, may decide to establish a set of security controls…by applying the tailoring guidance to the standard security control baselines for national security systems to achieve more specialized solutions” (“Security and Privacy Controls,” 2013). So, based on the above analysis, it is possible to state that all the above-discussed four sections are crucial for the formulation of security plans, and when it comes to DoD, it is even more relevant and applicable. References “About” (n. d). In Department of Defense. Retrieved from: http://www.defense.gov/about/ “Department of Defense: Directive.” (2011). In Department of Defense. Retrieved from: http://www.dtic.mil/whs/directives/corres/pdf/510523p.pdf “Department of Defense strategy for operating in cyberspace.” (2011, July). In Department of Defense. Retrieved from: http://www.defense.gov/news/d20110714cyber.pdf Marzigliano, L. T. (2014, Mar 14). Defense department adopts NIST security standards. Retrieved from: http://www.informationweek.com/government/cybersecurity/defense-department- adopts-nist-security-standards/d/d-id/1127706 “Security and Privacy Controls for Federal Information Systems and Organizations.” (2013, April). In NIST. Retrieved from: http://www.disa.mil/Services/DoD-Cloud- Broker/~/media/Files/DISA/Services/Cloud-Broker/NIST-SP80053- SecurityandPrivacyControls.pdf Swanson, M, Hash, J & Bowen, P. (2006). Guide for developing security plans for federal information systems. National Institute of Standards and Technology. Read More