After reviewing the weeks reading, project 3 descriptions, and Red Clay Renovation company profile we know that the main office is for RCR is in Delaware which has two other field offices located in Philadelphia and Baltimore. Also, that RCR is a company which renovates, remodels, and rehabilitates the residential building and for customer satisfaction, we must implement the proper security system. In addition, some states (such as Georgia, Oregon) requires specific information security plan, therefore separate System Security Plan (SSP) is required for each field office. A System Security Plan documents the controls which have been selected mitigating the risks of IT systems.The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system (SANS, 03). Also, for all individuals who access the system, the SSP outlines some behaviors and responsibilities. Therefore, in order to outlining the individual’s behavior and responsibilities who access the system, they SSP should similarly document the planning and processes of security protections (Patrick, n.d.).As we know RCR have offices in the different location that means it has different types of IT network system, information, and personnel. Therefore, each may carry different kinds of threats (such as physical threats, insider threats, informational threats, computer-related threats etc.) in the system to defend against on the site. Therefore, these threats require a separate SSP to be developed for each location as it would details- the different IT equipment, availability of the services, types of sensitive information, personnel etc. In addition, our company is rapidly growing and we are facing and learning more about threats for RCR. Therefore, we are responsible to work with SSP by updating and submitting to each of our RCR locations to the CISO for review.In sum, by implementing separate SSP for each field office will be cost effective and also will allow us to keep our system secure. According to the SANS Institute, the policies that are implemented to protect an organizations information/assets from any disclosure will help to ensure the integrity and confidentiality of information and systems.Reference:Oregon.gov (n.d). INFORMATION SECURITY PLAN GUIDELINES. Retrieved from https://www.oregon.gov/das/OSCIO/Documents/securityplanguidelines.pdf
SANS (2003, April, 01). System Security Plan. Retrieved from https://www.sans.org/projects/systemsecurity.php
Patrick W. (n.d.) Creating an Information Systems Security Policy. Retrieved from https://www.sans.org/reading-room/whitepapers/policyissues/creating-information-systems-security-policy-534
2. Steven Boyer
Red Clay Renovation is a world-renowned organization known for specializing in renovations and rehabilitation of residential buildings and dwellings. The headquarters is based in Wilmington Delaware, the operations center is located in Owings Mill, Maryland, and field offices in downtown Baltimore and suburbs of Philadelphia. Each office operates and manages its own IT infrastructure and has a managing director, 2-3 architects, a senior project manager, a business manager, and an office manager. Each office has support personnel that is provided by a local staffing firm.The RCR CISO Eric Carpenter is ultimately responsible for providing management oversight and technology leadership for the companys information technology security program. Although the CISO is responsible for the overall program, The field office manager is responsible for approval and compliance with security plans and procedures for his or her field office. In addition, each filed officer is also the IT system owner of their respective field office.NIST guidance documents, A less costly option for managing IT systems and services was approved at the suggestion of the CISO. The NIST documents include:NIST SP 800-12 An Introduction to Computer Security: The NIST Handbook
NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems
NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-100 Information Security Handbook: A Guide for Managers
NISTIR 7621 Small Business Information Security: The Fundamentals
The CISO will be responsible for providing direction and will be responsible for developing a System Security Plan (SSP) based on the above NIST documents. An SSP is a systematic approach to protecting an information system from unauthorized access, guard against viruses, and the overall protection of the IT system from vulnerabilities (Techopedia, 2018). It will also provide an overall view of the RCR security requirements and the controls put in place to secure the systems (SANS, 2013). Each field office has its own IT infrastructure with staff and employees assigned to it. Therefore it is a best practice that each field office supports a separate SSP. Although from a cooperate perspective the SSP is managed and directed by the CISO each SSP will include:System details/inventory documenting the purpose of the system
The system owner
A list of authorized personnel that can access the branch office
Level of access or access control list, least access privileges will be implemented. A concept restricting access rights for users, accounts and compute process to only those that are required.
Access control methods
Strengths and weaknesses of the system
Remediation processes (Techopedia, 2018)
Developing a separate SSP for each field office, managed and directed by the CISO, will provide a system focused macro-view of how security controls are being implemented from the top down. The master SSP will define the RCR system security standards for security controls and provide guidance to the system owners at the field offices (CyberSheath, 2017). The process also helps at a micro level identify non-compliance and uncover insecure practices at the field level. By separating the security plan and its responsibility at the field level, we reduce RCRs overall security risk to the organization allowing segmentation and remediation of breaches at the field level. References
CyberSheath. (2017, Nov 15). Tips for Writing Your System Security Plan. Retrieved from https://www.cybersheath.com/tips-writing-system-security-plan/SANS. (2013, April 1). System Security Plan. Retrieved from https://www.sans.org/projects/systemsecurity.phpTechopedia. (2018). System Security Plan . Retrieved from https://www.techopedia.com/definition/29713/system-security-plan
What are some examples of such measures and threats?
Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.
[order_calculator]