Information System Security Plans - Coursework Example

Information System Security Plans Information System Security Plans Information security has recently become an important aspect for both the press and media. The desire to have the applications in place has been pushed by the recent attacks that initiated the need to ensure the highest level of information security practices. The basic document in the security process has been the IT since it defines features and controls of the system security. The IT security plans support capital planning and the system life cycle efforts. They also support the risk management activities and certification as well as the accreditation of IT systems. For this reason, the security plans should be updated and prepared on an ongoing basis with up to date information concerning every agency’s information securities. Sources of Requirements for the Selected Plan Type The USDA agencies as well as the staff offices shall develop and maintain a program security plan that is an overall for all General support systems and major applications. The plans shall be made using tablets and instructions within the security plan guidance. Instructions and templates for the type of plan are provided in a table of security plan guidance. The table includes a section that assists agencies in the definition for General support system and their applications. There are also some modified templates for electronic submission of plans. After the completion of the annual security plan, all changes will be reflected in the agency software database according to the requirements of the policies. The agency administration is expected to submit a cover letter that contains plans attesting to the accuracy and completeness of the security plans. The letter should include information regarding the previous year’s deficiencies on whether they have been corrected (Disaster Recovery, 2010). Relationship between Organization Security Policies and the Plan The organization security policy entails the departments in responsibility of certain issues within the organization. The associate CIO for cyber security provides guidance, strategies and tools for assisting the USDA agencies in meeting the requirements of the plan that are to prepare an annual security plan for the security program, applications, and the general support system. The associate performs dynamic reviews of the annual security plan submissions. This is meant to ensure that all information regarding the security practices are completed and detailed. They provide feedback to every agency concerning the plans. The security plan, through the associated CIO should review all requests for policy exception and respond to the requesting officer in a timely manner. The associate should also perform an oversight review of agencies to ensure that information within the plan comply with the policy (Whitman and Mattord, 2011). The agency chief information officer within the plan must ensure that the agency administration signs the transmittal cover letter confirming to the correctness and completeness of the plans. The officer should also ensure that all business developers and owners are familiar with the requirements of an annual security plan. IT systems developers and business owners are responsible for the preparation of the plans. The chief information officer within the plan should develop and maintain an inventory for all information technology systems. They should determine data sensitivity and applications. They should also prepare a detailed plan for the overall security program and applications. The chief officer according to the organization security policy should submit the package to the cyber security officer, both electronically and in hard copy. Moreover, the same officer should also ensure that copies of security plans are well maintained in the staff office and that all IT systems have an adequate security control. Additionally, the policy within the organization is the employment of agency information systems security managers who should become familiar with all requirements of the security program in the organization. These managers should make sure that all agency security plans are handed in to the agency head with a letter for signature confirming the completeness and accuracy of the plans. Recommended format for the General Support System (GSS) plan The general support system is an interconnected information resource that falls under the same management control sharing a common functionality. Normally, it includes software, hardware, Applications, data, information, facilities people and communications. It provides support for different users or applications. A general support system can be a communications network or a tactical radio network. It can also be a departmental data processing center. An application in the plan requires special attention to security because of the intensity of the harm that may result from the misuse or loss of the information. The required format for the general support system includes the system identification that identifies the system in terms of date and type. Date is followed by the system name or title whereby, a unique name should be given to the system. Responsible organization for the system is also listed in the system identification part. Information conducts which include the name of persons knowledgeable about the system. These are written in the format of Name, Title, Address and Phone. The second section after the system identification is the system operational status; in this section, details with relevant periods are provided for any segment of the system that is under development or under modifications. Third is the general description of the plan. In this section, the purpose of the system is defined while describing the processing flow of the application starting from its input to its output. There is still a list of organizations and the type of data provided. System environment is also included in the format where information is provided on a general description of the system. Any relevant environmental or technical factors are included. In the same section, there is information on any security software that protects the system and information. The last section of the general support system plan includes the information sharing or the system interconnection. System identifiers and the interconnected systems are listed. In case of connections to the external system, a short discussion of any security concerns to be considered are provided. In this case, a written authorization is required and the same should be obtained before performing connections with other systems or sharing any sensitive data (Whitman and Mattord, 2011). The authorization details rules and behaviors that should be observed by the interconnecting systems. The rules must also be described and the description accompanied with the plan. Content Requirements for the General Support System (GSS) Plan The general support system begins with the operational controls. These address the security mechanisms and focus on methods that are implemented and performed by people. The controls are placed to improve the security of the system. They require much expertise and rely much on the management activities and the technical controls. This section describes the operational control measures that are intended to the requirements for protection of the general support system (Disaster recovery, 2010). The greatest impact on the system comes from performances of individuals. Therefore, the personal controls are enacted while the environmental and physical protection is a critical requirement. The production controls that include the input and outputs are also included in the key requirements. In this section, a synopsis is provided for the procedure that supports the GSS. There is the contingency planning which is an appropriate backup that ensures the continuity of support in the event of system failure. Hardware and software maintenance and integrity controls, records, security awareness, and training and the incidence response capability are some major sections required within the general support system plan. The main purpose of the system security plan is to provide an overview of the security requirements of a system and describing the controls placed the responsibilities and the behavior for the people who access the system. References Disaster recovery. (2010). Clifton Park, NY: Cengage Learning. Whitman, M. E., & Mattord, H. J. (2011). Roadmap to information security: For IT and InfoSec managers. Boston, MA: Course Technology/Cengage Learning. Read More