Information System Security Plan

Information System Security Plan

1. Information System Name/Title:

• Unique identifier and name given to the system. [use information from the case study]

2. Information System Categorization:

• Identify the appropriate system categorization [use the information from the case study].

3. Information System Owner:

• Name, title, agency, address, email address, and phone number of person who owns the system. [Use the field office manager]

4. Authorizing Official:

• Name, title, agency, address, email address, and phone number of the senior management official designated as the authorizing official. [Use the company’s Chief Information Officer.]

5. Other Designated Contacts:

• List other key personnel, if applicable; include their title, address, email address, and phone number. [include the CISO, the ISSO, and other individuals from the case study, if appropriate]

6. Assignment of Security Responsibility:

• Name, title, address, email address, and phone number of person who is responsible for the security of the system. [use the case study information]

7. Information System Operational Status:

• Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status. [Use the case study information.]

8.0 Information System Type:

• Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in Section 9. General System Description/Purpose. [use the case study information]

9.0 General System Description/Purpose

• Describe the function or purpose of the system and the information processes. [use the case study information]

10. System Environment

• Provide a general description of the technical system. Include the primary hardware, software, and communications equipment.

[use the case study information and diagrams. Add brand names, equipment types as required (if not provided in the case study)]

11. System Interconnections/Information Sharing

• List interconnected systems and system identifiers (if appropriate), provide the system name, owning or providing organization, system type (major application or general support system) … add a fictional date of agreement to interconnect, and the name of the authorizing official.

12. Related Laws/Regulations/Policies

• List any laws or regulations that establish specific requirements for the confidentiality, integrity, or availability of the data in the system.

13. Minimum Security Controls

Use the security controls baseline as provided for this assignment. Include descriptive paragraphs for each section. Cut and paste the tables from the provided security controls baseline to add the individual security controls under each section. Use the sections and sub-sections as listed below.

13.1 Management Controls

[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]

13.1.1 [first control family]

[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]

13.1.2 [second control family]

…………

13.2 Operational Controls

[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]

13.2.1 [first control family]

13.2.2 [second control family]

…………..

13.3 Technical Controls

[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]

13.3.1 [ first control family]

13.3.2 [ second control family]

…………

Example:

14. Information System Security Plan Completion Date: _____________________

• Enter the completion date of the plan.

15. Information System Security Plan Approval Date: _______________________

• Enter the date the system security plan was approved and indicate if the approval documentation is attached or on file.

2


Comments are closed.