StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Information System Security Plans - Research Paper Example

Cite this document
Summary
"Information System Security Plan" paper focuses on the four sections of the NIST’s security plan such as General Description, System Environment, Laws, regulations, and Security Control Selection. The paper also explains why these sections are important and how they can be applied in DoD…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER96% of users find it useful
Information System Security Plans
Read Text Preview

Extract of sample "Information System Security Plans"

Information System Security Plan An Assignment Submitted by Fall Information System SecurityPlan A nation can protect itself from threats and reach the top echelons only if its security system is made optimal and effective without any chance of loopholes. This is where the role of a security plan assumes significance. A foolproof security plan for the nation’s federal agencies and other governmental organizations can enable it to function securely and efficiently thereby giving the nation an ‘edge’ over other nations. That is, once agencies’ security structures and critical information are secured, they can operate without any threats, which in way strengthen the overall defense of the nation, weaken the defense of its enemies, and even orient the nation on the right path of development. Then, with todays rapidly changing political, economic, and importantly technical environment increasing the threat for the federal agencies, it becomes paramount for those agencies to adopt a strong security plan. In that direction, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has developed guidelines on the ways to formulate and adopt a security plan. “NIST SP 800-53 contains the management, operational, and technical safeguards or countermeasures prescribed for an information system” (Swanson, Hash & Bowen, 2006). Among the various parts of the NIST’ security plan, the focus will be on the four sections of General Description, System Environment, Laws, regulations, and policies, and finally Security Control Selection. So, when a federal agency like Department of Defense (DoD) adopts a security plan, these four sections can contribute optimally to the process and so the discussion will about why are these sections are important and how they can be applied in DoD. All federal agencies or systems including DoD reflect some to extreme level of sensitivity and because of that it requires protection for its physical IS system and its virtual data as part of secured and good management practice. In that direction, DoD adopted a risk-focused security plan and guidelines of NIST in 2014 after dropping its longstanding DoD Information Assurance Certification and Accreditation Process (DIACAP). DoD transitioned to NIST considering its effectiveness, in-depth focus and at the same user-friendly nature. “The NIST library of security controls (in NIST publication 800-53 Rev. 4), currently in use at most civilian agencies, are much larger and the controls more granular, yet easier to understand and implement, than DIACAP, say those familiar with both methods” (Marzigliano, 2014). Under the transition plan, DoD has six months from March 12, 2014 to end any new accreditations under the legacy DIACAP process and three-and-a-half years for the full transition to NIST from all the existing DIACAP-based accreditations (Marzigliano, 2014). In that direction, DoD has to formulate security plan. The purpose of system security plan is to chart an overview of the security requirements, analyze the existing controls, find loopholes to plug, come up with newer and updated controls, and so on. As part of this documentation of the structured process of security planning, the function and purpose of the system has to be described. Once the function and purpose of the system is described, relevant and even customized security plan can be formed. Although, NIST standards are applicable to all federal agencies particularly DoD, considering DoD’s role in the formulation of NIST, describing the functioning and purpose of DoD’s IS at the outset can aid in the formulation of effective and pertinent security plan. So, this section of general description is an important and basic step in the designing of the security plan. Speaking of DoD’s, its main purpose and function is coordinating as well as supervising the federal agencies and government’s function that are concerned with national security. It is under the DoD, the three key military divisions of U.S. Department of the Army, Navy, and the Air Force comes under. Apart from these three organizations, DoD coordinate and supervise the four national intelligence agencies or services including the Defense Intelligence Agency (DIA), the National Security Agency (NSA), the National Geospatial-Intelligence Agency (NGA), and the National Reconnaissance Office (NRO) (“Department of Defense: Directive,” 2011). In addition, DoD’s physical structure extends to many acreage. Apart from its main installation of Pentagon, DoD manages number of installations in over 5000 different locations or sites utilizing over 30 million acres of land thereby reflecting its huge physical presence (“About”). Then when it comes to its system environment also, it exhibits sizable presence. Focusing and then detailing about the technical system environment of agencies like DoD is a key component in the formulation of security plan. The technical system environment includes all the physical hardwares and virtual softwares that runs the IS structure or even complements the functioning of the IS structure in DoD. Although, it might be difficult to list and include all those components of the technical system environment, it has to be done to come up with an effective security plan. So, it is obvious that this section of system environment is an important section in the NIST guidelines. When it comes to DoD, its technical system environment is humongous, with hardwares and softwares being added every day. According to 2011 figures, “DoD operates over 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries around the globe”(“ Department of Defense Strategy,” 2011). The technical system environment not only includes components in an immobile installation but also extends to defense related vehicles and weapons. So, the NIST standards are applicable to the IS structure that is present in its installations and also mobile components. “It even applies to IT that resides on weapons, in space, on vehicles, on aircraft, or in medical devices (collectively referred to as platform IT), though some forms of platform IT and other unique system types are handled under slightly different procedures and rules” (Marzigliano, 2014). When one focuses on environmental or technical factors that raise special security concerns, DoD is particularly concerned regarding three areas of potential adversarial threats. It includes “theft or exploitation of data; disruption or denial of access or service that affects the availability of networks, information, or network-enabled resources; and destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks or connected system” (“Department of Defense Strategy,” 2011). The above-mentioned adversarial activities can be carried out by enemy or opposition countries and its intelligence agencies as well as by non-state terrorist or commercial groups. In addition, the widespread availability of hacking tools and other sophisticated hardwares and softwares are making it easy for these agencies and groups to have a crack at DoD. The other section of the NIST standards is formulating a security plan which abides by key laws, regulations, or policies. That is, federal, state, and even local laws that protect the privacy and civil liberties of the civilians and even the employees working in the federal agencies like DoD have to be taken care. Although, protecting the national interests appears paramount, it does not have to be at the cost of civil liberties and other ethics, making this an important section. In the case of DoD, it has already incorporated this need to protect privacy and civil liberties as part of its statutes and functioning. “DoD…seeks to mitigate the risks posed to U.S. and allied cyberspace capabilities, while protecting and respecting the principles of privacy and civil liberties, free expression” (“Department of Defense Strategy,” 2011). So, it is obvious that even while adopting the NIST standards, DoD will naturally incorporate the relevant privacy laws and civil liberties laws including the Privacy Act of 1974. The other important section of the NIST guidelines is selecting the necessary or even tailor-made security control. That is, based on the level of threat or risk, ranging from low, moderate or high, the NIST guidelines can be customized or tailored. So, before the security plan is formulated, the threat or risk level has to be analyzed and found out. Then, the relevant or apt security control has to be selected and incorporated as part of the security plan. This functionality or flexibility of NIST is pointed by Marzigliano (2014), who stated, “The NIST security controls can be customized for the defense IT environment, and DISA has already created more than 1,700 Control Correlation Identifiers (CCIs) that make the controls much easier to implement as system design and development requirements”. In line with flexibility, DoD while coming up with their security plan can customize it according to its threat level and other risk factors. The DoD is already doing this even while following the earlier DIACAP process. Now, with the decision to adopt a more flexible and user-friendly NIST guidelines, DoD can customize it more relevantly and effectively. “Department of Defense, for example, may decide to establish a set of security controls…by applying the tailoring guidance to the standard security control baselines for national security systems to achieve more specialized solutions” (“Security and Privacy Controls,” 2013). So, based on the above analysis, it is possible to state that all the above-discussed four sections are crucial for the formulation of security plans, and when it comes to DoD, it is even more relevant and applicable. References “About” (n. d). In Department of Defense. Retrieved from: http://www.defense.gov/about/ “Department of Defense: Directive.” (2011). In Department of Defense. Retrieved from: http://www.dtic.mil/whs/directives/corres/pdf/510523p.pdf “Department of Defense strategy for operating in cyberspace.” (2011, July). In Department of Defense. Retrieved from: http://www.defense.gov/news/d20110714cyber.pdf Marzigliano, L. T. (2014, Mar 14). Defense department adopts NIST security standards. Retrieved from: http://www.informationweek.com/government/cybersecurity/defense-department- adopts-nist-security-standards/d/d-id/1127706 “Security and Privacy Controls for Federal Information Systems and Organizations.” (2013, April). In NIST. Retrieved from: http://www.disa.mil/Services/DoD-Cloud- Broker/~/media/Files/DISA/Services/Cloud-Broker/NIST-SP80053- SecurityandPrivacyControls.pdf Swanson, M, Hash, J & Bowen, P. (2006). Guide for developing security plans for federal information systems. National Institute of Standards and Technology. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Project 3 Information System Security Plans Research Paper”, n.d.)
Project 3 Information System Security Plans Research Paper. Retrieved from https://studentshare.org/information-technology/1665487-project-3-information-system-security-plans
(Project 3 Information System Security Plans Research Paper)
Project 3 Information System Security Plans Research Paper. https://studentshare.org/information-technology/1665487-project-3-information-system-security-plans.
“Project 3 Information System Security Plans Research Paper”, n.d. https://studentshare.org/information-technology/1665487-project-3-information-system-security-plans.
  • Cited: 0 times

CHECK THESE SAMPLES OF Information System Security Plans

Security Plan for ABC Information Systems

This paper ''Security Plan for ABC Information Systems'' tells that an information system forms a fundamental component in the provision of communication services to human beings.... However, adequate planning enables the organization to develop an effective information system.... No duplication or any reproduction of this security plan information system document should be done without permission from the author.... 9 Security Plan for ABC Information Systems Introduction An information system forms a fundamental component in the provision of communication services to human beings....
15 Pages (3750 words) Research Paper

The Rookie Chief Information Security Officer

The study "The Rookie Chief Information security Officer" provides a quality assurance received by the vendor - ISO certified, employee protection for employee areas, three information security policies that could be developed and practiced within the organization for data security assurance.... The main objective of this paper is to provide a well-designed IT security plan with modern security measures that would help in maintaining a proper database system in the organization (Stoyles, Pentland & Demant, 2003)....
10 Pages (2500 words) Case Study

Security and Integrity of Health Care Information Systems

The author of the paper "security and Integrity of Health Care Information Systems" argues in a well-organized manner that health information systems deal with a lot of operations involved in managing sensitive medical information for different patients.... Unfortunately, maintaining the security and integrity of the information systems and applications is still a challenge to many hospitals and associated organizations that handle patients' records, even after the changeover to electronic storage and operations....
17 Pages (4250 words) Term Paper

Business Plan Project for a Security Guard Company SecureIT

The author of the paper "Business Plan Project for a security Guard Company SecureIT" will begin with the statement that the company SecureIT is a company formed as a partnership between two friends Mr.... The formers of SecureIT Company have experience in security systems in relation to IT developments and experience gained through serving under the police for over twenty years.... The company aimed at providing quality security services that will cover the provision of guards to different premises, conducting private investigations, and the provision of consultancy services to the customers....
9 Pages (2250 words) Case Study

A Key Concept in Information Systems

Consequently, a key concept in information systems is ensuring privacy, confidentiality, accuracy and completeness through information system security (Peltier, 2013).... With the increasing threats to information systems from external and internal sources, these organizations must ensure availability or reliable information security plans that address personal users of the systems, the... Additionally, information systems have environments, boundaries purpose and interactions in which they operate....
5 Pages (1250 words) Term Paper

Information Security Plan

Organizations are created by people, buildings and procedures, and these three ingredients can perform well only if they are assure of their security.... From the exchange of information for communication purpose to the exchange of secrets pertaining to the security of countries, cyberspace has become the medium of choice for everyone.... With the introduction of information technology, the risk of all above mentioned factors have increased....
15 Pages (3750 words) Case Study

Role of Security Automation Systems in Oil and Gas Industry

This review ''Role of security Automation Systems in Oil and Gas Industry'' discusses the key role of such security automation systems in securing data in the oil and gas industry.... OGP (2010) observes that the adoption of new technologies by both upstream and downstream operators, such as security automation systems, is one way the industry players use to mitigate the issues and enhance service delivery.... OGP (2010) observes that the adoption of new technologies by both upstream and downstream operators, such as security automation systems, is one way the industry players use to mitigate the issues and enhance service delivery....
8 Pages (2000 words) Literature review

Systems Theory and Physical Security

The focus of this paper "Systems Theory and Physical security" is to discuss the systems approach to physical security and why it is necessary for the protection of assets.... System theory plays a significant role in that they offer security and can, therefore, be used to offer both safety and security (Schultz et al, 2001).... Modern and high-tech safety analysis techniques that are based on system theory have found their way....
13 Pages (3250 words) Term Paper
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us