Risk Management Framework and System Security Plans

testing one two testing one two um so hey guys welcome to convo courses my name is bruce and i&#39;m going to be answering a couple questions uh about risk management framework cyber security type stuff information technology anything i can answer and i&#39;m starting off with uh some questions that i received on my channel here from jackie o who says are you are you able to share a complete example would you like would like to know what acceptable what an acceptable deliverable ssp looks like you mentioned you&#39;d share a copy in the section below so um so in order i i think maybe i might have mistakenly not put the link in there but if you go to convo courses i have a breakdown of how to put together an acceptable package what are all the steps that go into creating a system security plan for the nist so but what i can do for you jackie and for anybody else who is wanting to see what a system security plan looks like i can give you an example so the thing is an acceptable deliverable for an ssp that&#39;s what you wanted to know would like to know what an acceptable deliverable for ssp looks like okay let&#39;s let&#39;s put this in context what i want to do is first of all i want to show you what for those of you who might not know you might need some framework here some context to know exactly what we&#39;re talking about we&#39;re talking about a system security plan a system security plan is a comprehensive document that explains the security posture of an organization so an organization says hey yeah we&#39;re secure uh yeah we protect these satellites we protect all the data that&#39;s being processed and disseminated and stored uh we you know it&#39;s it&#39;s tracking all the troop movements and all the stuff and it&#39;s secure you know so thing about the federal government is that they don&#39;t take your word for it it has to you have to show evidence that it is secure and and how it&#39;s secure and so the risk management the nist 853 breaks down all the security controls that they that they uh that that you should see to show that you have a certain level of of assurance on your data that means a certain level of confidence that you are protecting the data right so in order to show that what you present is a security pat a authorization package an authorization package consists of a system security plan a plan of action and milestone it can also include a a a assessment report and then artifacts artifacts is like evidence that you have done your scans the evidence that you have backups that are in place and it basically covers all the security controls now an acceptable deliverable for a system security plan delay it really depends on the eye of the beholder what i mean by that is that every organization is going to have what a different definition of what they deem as acceptable for some organizations to prove that you have a a proper backup in place it might be acceptable just to have a screenshot of your most current full backup of your systems for another organization it might be that they want to see the configuration of your backups that they they want to see that you have an incremental backup and they want to see the configurations of your backup system for some for some organizations it might be good enough to just have a policy that you back up the uh so every so often the policy states that the frequency is we do it every wednesday on in may of every year or whatever it is you know whatever it is so every organization is going to be the determining factor they&#39;re the ones who say yeah yes this is good i like this this this is acceptable uh an acceptable evidence so are an acceptable artifact so to answer your questions to answer your question it depends on the organization what is acceptable as a as evidence and for you as an information system security officer as a cyber security expert as a cyber security consultant as a cyber security person it&#39;s your job to figure out what the expectations of the organization is so that&#39;s that&#39;s what you have to do um i know that in in my line of work a lot of times especially in the beginning i would present something that i thought was what the organization wanted to see i would present something that that in my interpretation from my previous jobs i&#39;d say well at my previous job it was good enough just to have a screenshot so i&#39;ll just i&#39;ll just take the screenshot and we&#39;ll we&#39;ll upload that or actually i&#39;ll give you a real world example previous job company a it was fine just to show the policy actually the policy of say the backups if you had the policy there and you we would upload it or even maybe have a link to that the document that talks about the frequency of the backups for the system that was fine they were they were okay with that uh assessors came they looked at it as a yep here&#39;s the document right here your policy says that you guys have this have this backup plan and procedure you have it there you go and then they blessed it and then that was it then i go to another job right i go to company b and and i upload thinking to myself well yeah okay it was good with the other company and this this other organization is a way higher like they have way more important stuff so hey i&#39;m gonna do the same thing i put out a dot the documentation and i put the artifact upload that into uh say emass or whatever it was at the time it wasn&#39;t ems but whatever it was and and said okay here&#39;s the artifact here it is here&#39;s evidence that we our organization is doing the backups and they saw the policy i&#39;m like what is this i&#39;m like it&#39;s the policy no we need evidence this isn&#39;t evidence this is saying that you did it this this procedure says that you guys have conducted the backups but this is not this isn&#39;t what we want and i&#39;m like well okay uh well what you know what do you want like what what kind of evidence very respectfully of course i said well what kind of evidence could you give me examples of what kind of evidence we could bring to the table to show you that we are doing this and they said well maybe a screenshot and give me a screenshot of the ibm backup.exe uh system you know give me that so we that&#39;s what we did we we the moral of the story is you have to figure out what the organization wants now let me give you some further context if you&#39;re confused about this whole thing that i&#39;m talking about artifacts and all this kind of this and that let me show you what we&#39;re talking about here i&#39;m going to show you my screen here what we&#39;re talking about is a system security plan now the system security plan it looks different for every organization all right here&#39;s there&#39;s a there&#39;s a bit of leeway that the risk management framework uh nist 800 series gives you okay so some organizations are still on this what you see here on the screen here is a just a word document this is where i&#39;m at here right here is if you want to follow along is this is uh combocourses.com and you know what i&#39;m going to do is i&#39;m going to find wherever the downloadable is i&#39;m going to make the downloadable free so if you basically if you go on to convo courses logging in is free you&#39;ll see this as a free download if you go to if you&#39;re looking for nist uh iso nist 800 foundations you&#39;ll see is free the downloadables will be this downloadable will be free if i can find it okay so anyway the system security plan looks different at each organization so what you&#39;re seeing here on the screen is a word document version of a system security plan and um let me see where i&#39;m at here yeah okay so this is a video that i&#39;ve done about this particular okay here we go here we go let&#39;s let me just kind of show you a couple things here um so yeah this right here is what&#39;s going to be in that system security plan pretty cumbersome because you&#39;re you&#39;re essentially documenting you&#39;re supposed to document anyway every single system security control and so if you&#39;re doing this in a word document it just gets very very you&#39;re gonna have a a phone book worth of data and it just gets extremely hard to manage because things also change on a regular basis and that&#39;s why some people use something like this xacta exacta is an example one example out of many of a database a searchable database that can hold all the system security controls so there&#39;s exacta there&#39;s uh emass there&#39;s uh and sometimes they&#39;ll have like a homegrown one where it&#39;s just basically uh oracle database or sql database that they put together and um and they just made a searchable database it&#39;s much easier to deal with if you have some kind of a database or a relational database like in xacta what are the archer i think does it rsa archer what other there&#39;s so many other ones out there but this is just one example basically you would put your system security plan and document all the controls in this database rather than doing it on a word document another place that people do it i&#39;ve seen done is on a um a spreadsheet it&#39;s so ridiculously hard to manage a spreadsheet with this much data on it let me let me see if i can find an example of a spreadsheet example of a spread yeah here is one right here this is what we&#39;re looking at here on the screen is a is a spreadsheet that&#39;s been uh a excel spreadsheet that&#39;s been made into a a system security plan it&#39;s just it starts off good it&#39;s very easy to to understand it and you fill it out and it&#39;s like a template and stuff like that but what happens again is that you have so many security controls and they&#39;re being and those security controls change from time to time you got to manage those security controls and on a spreadsheet sometimes it can be it&#39;s first of all it&#39;s very limited you can&#39;t upload files on a spreadsheet you can&#39;t you know you can&#39;t do very comprehensive searches on a spreadsheet you can do some cool stuff with a spreadsheet but it just has some some severe limits so you can do it on whatever the whatever the organization determines um how they determine how they&#39;re going to document all of the security features of the system security uh syste the systems that are managing that are disseminating that are uh processing that are storing that important data you have to document all that stuff so the organization says okay everybody will use this word document here&#39;s the template here&#39;s it&#39;s got our letterhead on it it&#39;s got our symbol of our company and all that kinds of logo and all that kind of stuff on it right or they can say nope we&#39;re going to use spreadsheets that&#39;s what we&#39;ve been using it&#39;s just easier for us and here&#39;s the tabs on the spreadsheet or they can use some kind of a relational database that allows everyone to access it is online and maybe have different role-based uh people who can log in and see different things and manipulate different things and everybody&#39;s collaborated collaborating on say archer or exacto or whatever so that is what a system security plan might look like uh and it&#39;s coming from this document right here which is an 818 nist 818 developing plans for federal systems and if you look at this right here this document this document right here shows you what it&#39;s going what a system security plan should have on it and so here here that part is that part right here um it says a sample information system security plan template all right and uh yeah it&#39;s going to have a categorization of the system the name of the system um and the roles and responsibility and at some point it goes deep dives into all the system security controls themselves and that&#39;s where it just gets super deep and just so much data is being dumped in in that spreadsheet or in that in that uh document that you have and that&#39;s why a relational database is really the a better way to go about it so here&#39;s that document that i that i told you i want to make downloadable i&#39;ll have to come back to this right now because we&#39;re on this live i could probably do this in the background while i&#39;m talking here but um i just wanted to show you a couple more things here&#39;s another downloadable this is a template that&#39;s in a word document and so that&#39;s that&#39;s pretty much it um as far as giving examples a specific example of an artifact that might be in a system security plan that might be acceptable again it really depends on the organization of what is acceptable um but let me see if i can find anything um i might have something what i&#39;m doing is i&#39;m on my actual um training right here to see if i have given out any specific example i believe i have i&#39;m just trying to find it tailor controls documented controls approval um yeah so here let me see if i can all right maybe this will maybe this is one that i could show you so what i&#39;m doing right now is downloading the stakeholders list this is something that goes in the system security plan and it&#39;s just a template that i i don&#39;t think i&#39;ve filled this one out i think i just gave a template just in case somebody wanted to use it for their own organization just one of the things that i have in combo courses if you&#39;re taking the risk management framework it&#39;s of course okay so here&#39;s an example of an artifact you might you might see in a system security plan and all it is is a list of of the people who the stakeholders the people who are responsible in some way on a specific system uh let me see if i can make this a little bit bigger and i&#39;ll show you another one in a second here so yeah there you go it&#39;s just got the title of the person the name the email contact information right there that might be something that you would put into a into a system security plan let me see if i can find another one and there&#39;s other things too there&#39;s like if you if your organization does scans you might prove that hey we&#39;re good we&#39;re we don&#39;t have any vulnerabilities what you might do is is put the results of a nessa scan like if if your organization is doing scans you might do that let me see if i can pull this one up yeah okay here&#39;s another example here&#39;s something i&#39;ve seen on many many different in many different ways uh that are on a in some way shape or form on a system security plan and this one is a hardware software list and this is going to list the host names the ips of course i made all this up now this is real but you you would have location os version the serial numbers the mac addresses and all of these things it of course it&#39;s not going to be three items right if you could have thousands of of items on this list but i&#39;m just giving you an example of what might be acceptable as a artifact it&#39;s ju basically it&#39;s evidence that you have completed a certain task and you meet a certain security control that&#39;s that&#39;s all it is and then here&#39;s the software list and it&#39;s of course going to be way more comprehensive than this if you especially software software lists are crazy huge like ridiculously so huge and nobody&#39;s gonna really really read it you know what i mean so uh yeah so it&#39;s gonna have vendor it&#39;s gonna have software it&#39;s gonna version things like that maybe you might have where where it&#39;s loaded up uh what systems are are uh have this software things like that so those are those are a few examples so i hope that that helps i&#39;m gonna move on to another topic of discussion here while in the background i&#39;ll try to change and make this one this portion some of those downloadables try to make those free all right um i had another question um do you do phone consultations you know on very very rare con occasions i&#39;ll do phone consultations to people who i&#39;ve who&#39;ve been following me for a really long time people i can&#39;t uh who uh who have bought the course and i&#39;ve been we just been talking for many for a long time and so i&#39;ll sometimes do a consultation with them but that&#39;s normally for like resumes and stuff like helping people get jobs and things like that as far as consultations like for your for your organization we&#39;ll have to talk you you need to contact me directly and that&#39;s a whole different i had yes i have done it before my time is very limited so i i can&#39;t always do it you know what i mean but i might know somebody who can though i know several cyber security experts who do the same thing i do and i could if i can&#39;t do it i can pass try to pass the work along to them and they might be able to to do that for a fee of course so yeah contact me what i&#39;ll do is i will have my contact information below and uh and if you contact me i can forward you to the right people let me see if i can find my contact information i could give you if you&#39;re trying to look for a consultation for your organization i might be able to help in that department let me see here where could it be i&#39;ll give you guys that&#39;s if i can actually log in maybe i&#39;ll just go ahead and type my information in there let&#39;s see let&#39;s we&#39;ll just say if you contact me here i&#39;ll put it here it&#39;s cyber aware 2020 all one word at gmail.com if you contact me here and if you have consultation for your organization i you know maybe that&#39;s something i should put up here on my site um it&#39;s just something i don&#39;t advertise every now and then somebody will reach out to me and i&#39;ll i just so happen to be in a place where i can actually help them i have a free time to actually call you know they&#39;ll call me go i&#39;ll go through all of any kind of security questions that they want or go through a jpass or whatever they need me to do and then i&#39;ll get into their system and then help them out but um i i do work full time so you know i can&#39;t always do it so i can pass it off to some other people some other professionals that i know who maybe they have the time to make a little cash on the side or whatever okay so i hope that that helps um let me see i got a question here professor black ops says cyber security for for the people that i have um i have you every use of the grc system to build an ssp um i have you every use of grc system to build an ssp um yeah so the grc systems that i&#39;m familiar with have been like home grown and then uh there&#39;s a archer archer that one i&#39;m pretty familiar with my personally familiar with and uh on those systems you can build out an an entire authentication package on there not just the system security plan just to kind of piggyback on what professor black ops is saying you can build not only the the system security plan with all the evidence if it&#39;s on a database a relational database with the backup storage and all that kind of stuff cloud-based storage or whatever secures cloud-based storage but you could also put the scans like it could track all the scans throughout the network it can track all the hardware software that&#39;s on the network and on the systems uh it could track um any kind of documentation and policies procedures that you have grc systems it means uh governance risk and compliance am i right am i right with that uh professor black ops governance risk and compliance i believe that&#39;s what grc stands for and that&#39;s what they track they track they can track vulnerabilities they can track governance throughout your organization ip addresses what systems you have what software you have just all kinds of stuff let me see oh have you ever built uh have you ever used any grc systems to build an ssp yeah absolutely yeah absolutely the ones there was one called eidtr that i used way back in the day on the air force systems this it&#39;s gone now they don&#39;t they don&#39;t use that anymore i think they replaced it with emass or something like that the emas i&#39;ve never actually had hands-on with emass i&#39;m very familiar with what it does because i&#39;ve had to work with it uh on several occasions where i&#39;m uploading data to it but i personally don&#39;t have direct i&#39;ve never configured a emass system or anything but have put data on them um archer is a grc system with s uh system security plans on it um that&#39;s a really good one what other systems have i worked on some home-grown ones made by different um three-letter agencies that i probably can&#39;t talk about um damn i never work with xacta but that one does is i believe that&#39;s a grc system um man there&#39;s so many different ones so yeah yeah but to answer your question yes i i have worked with and that&#39;s in my opinion the best way to work with a system security plan since there&#39;s so much data and it&#39;s so deep it&#39;s it&#39;s so many things you have to do with it in my opinion it&#39;s not word documents those are the file gets super big to where you can&#39;t sometimes you can&#39;t send it it gets so huge that you gotta break it into parts uh not so yeah dot dot dot is not good um and that&#39;s the same thing with excel excel is even more limiting i mean it allows you to search and things like that and it seems cool but it&#39;s really not and because especially if you&#39;re uploading artifacts like screenshots or scans and stuff like that and it just it can&#39;t handle that stuff the best way in my opinion has been a database relational databases with a with a storage back end that allows you to do everything you need to do and upload files and all that kind of stuff so yes i have worked with grc systems and built system security plans on them and in my opinion those are the best ones to use the ones with a database with a huge storage backend okay let me see here um i am going to look at another question here can you look at my resume finished some months ago looking for a job okay becca um if you happen to see this video please please email me directly and uh and i can help you out and um the best way for me to do this is if i can do it live and what i do with those is i&#39;ll change your personal information and then i will do it live that&#39;s that&#39;s the best way for me to do it the last system security plan i did was 1200 pages yeah yeah i mean they just get it&#39;s like a phone book after a while it doesn&#39;t after a while doesn&#39;t make sense it just does it just doesn&#39;t make any sense anymore to put it in a word doc because nobody&#39;s gonna nobody in their right mind is gonna read that entire thing i mean it just you see the thing after a while it becomes it&#39;s a database essentially right you&#39;re putting a database on a dot doc and it just doesn&#39;t make sense you you use a system security plan to search for a specific thing like you&#39;re searching for a specific thing i mean yeah there&#39;s the description of the system and there&#39;s the i don&#39;t know the mapping or whatever of the system it lists all security controls but when you&#39;re talking about uploading actual artifacts like lists of hardware or lists of software i mean that&#39;s where it just gets crazy you know and you&#39;re you&#39;re relying on scores of people throughout the organization to give you more and more information and uh yeah twelve twelve hundreds is is light i mean i there&#39;s some there&#39;s some that i&#39;ve worked on that had essentially the main part of it had 1200 pages but the other they had we had to break it into different books because because the say the the hardware list and the software lists are so big that the those two things uh take up so much space and so it really needs to just be a database you know government projects just want their pages for the ato for the authority to operate yeah so true so that&#39;s why they get so so big because they want evidence that you basically are you&#39;re taking a picture of the posture of the of the system securities posture what is the security posture of this and what that means in layman&#39;s terms is what is the status how secure is your system right now right that&#39;s what the documentation is meant to do it&#39;s supposed to take a it&#39;s a picture very detailed picture of what the status of the status of the security is right now right it changes over time like it&#39;s constantly actually changing so that document the reason why i say a 1200 page document or more of a of a system security plan is ridiculous because it it&#39;s constantly changing like this week you have uh this version of windows and then next week you have another guess what your security package has to change technically it has to change like if you if you have different software operating system on there it technically you have to go through it and you got to change those little things and so all those copies you made and all those trees you burned down to get these to print out this phone book worth of of paper to give now that all has to change so yeah it&#39;s better on a database that&#39;s just my my humble opinion about it haven&#39;t done this for a while um let me see here um i asked a couple more questions and i i have to get out of here i actually want to do a really long session today but i actually have to go somewhere um one love usmc says hey bruce i have a top secret clearance and i have passed the security plus along with taking a risk management class and now i&#39;m looking to be a security uh control assessor so for this you usmc i&#39;m assuming you&#39;re in the military in the marine corps if you have a clearance and you&#39;ve done some of this work before i would highly recommend that you change you you change your resume to reflect your risk management framework experience and any kind of security control implementation that you&#39;ve done and if you&#39;ve ever assisted in risk management if you&#39;ve ever assisted with security control assessing uh you should put that on your resume and what i mean by that a lot of people who are in cyber security or in it don&#39;t believe that they have done any risk management framework or any kind of security compliance or any kind of security control assessing before but actually you have if you&#39;ve done help desk if you&#39;ve worked if you were the net network engineer guy if you were done firewalls if you&#39;ve done if you&#39;ve done any if you touched any of these systems especially in a large to medium environment more than likely you have some sort of risk management experience experience now a security com i should say security compliance experience because there&#39;s many different security uh compliance frameworks if you work in the federal government which i&#39;m assuming you have because you if you if you have a ts clearance and you usmc i&#39;m assuming you&#39;re a vet you&#39;re in the military act duty or whatever um i&#39;m assuming you have federal experience which means you have some risk management framework experience and let me explain what i mean by that so if you have ever written a a procedure for your organization or some kind of a wiki page like a work instruction page if you&#39;ve ever assisted with a policy if you&#39;ve ever written anything about the security posture of a system then the security status of a system and that also includes if you&#39;ve ever done any kind of scans those are can be worded to show how you&#39;ve assisted the risk management framework process the risk management framework uh package because you don&#39;t know that you&#39;re helping but you are you if you&#39;re working on the help desk and you had to do us a procedure let me just explain what i mean by that if you&#39;ve had to write a procedure a work instruction on how to say i don&#39;t know upload the gpo files on a system uh because all the other people on helpdesk need to know that information you wrote you helped write it or you wrote it yourself or whatever so how that helps risk management framework and security compliance is that me as an iso as an information system security officer i actually need that document because that document is part of our package we might reference it we might not upload it into our package but we might just reference it and say yeah so one of the ways that we do say access control ac2 for example which is access management i believe uh is that we control it via a gpo and we have a procedure procedure xyz that was probably written by yourself uh it explains how we control access to these endpoint devices and so you would want to put that in your resume like if you&#39;ve ever written any kind of documentation for work instruction all those things are part of our system security plan and a part of our our total uh posture of our of our environment so you can actually say it depends on how you word it that you&#39;ve written a document that has assisted in uh the risk management documentation so that might be a bit of a stretch but here&#39;s here i can give you a couple another uh another example security control assessor how could you say that you have assisted with security control assessments well if you&#39;ve ever done a risk if you&#39;ve ever done a scan using uh nessus or or whatever the flavor of the day scanner is in your environment you can you can say hey you know that you have helped to assess the vulnerabilities on the network because that&#39;s exactly what you&#39;re doing when you&#39;re running a scan one of the tools the main tools that security control assessors use is a scanner that&#39;s one of the things that they use so they and by the way security control assessors don&#39;t just scan they also have to look at documentation so if you&#39;ve ever been asked to look at a policy to make sure that it&#39;s that is correct like technically correct if you&#39;ve ever have ever had to look at a procedure and see that it was technically correct that is an assessment you&#39;re you&#39;re assessing whether or not this is this documentation that addresses a specific security feature on a system is accurate and you are com you are doing a self-assessment you are assisting with a self-assessment within the organization you could sounds like a stretch but i&#39;m just telling you the tools of the trade for a security control assessor are scanning our scanners another thing that they do is they uh they look at documentation and they also conduct interviews and so if you&#39;ve you&#39;re on help desk at what point would you have to conduct an interview let me see um when would you have to conduct help me out here when have you ever had to what do you have to talk to people when you&#39;re on the help desk you have to talk to you have to sit down and ask them specific questions about say security features you might have to sit down with a with a customer at the help desk if they bring a thumbnail a thumb drive or something like you have they ever brought a thumb drive to work or something like that or if they&#39;ve ever have they read their latest um procedure on locking down their system or something like that you might want to put in there that you have had to interview certain certain people on the help desk because uh you specifically bitlocker was was an issue and so you had to go to every single person on the floor and say listen uh i need to know about what&#39;s going on with your bit locker have you ever have you done this procedure that you&#39;re supposed to do okay cool all right have you uh have you turned your system off we you need to turn it off before you leave because it has to reboot in order to update right you are interviewing this person with security questions you can put something like that on your resume and the reason here&#39;s why okay and it sounds crazy but here&#39;s why when you&#39;re a security control assessor you have to be able to interview people that&#39;s one of the things that that&#39;s one of the things that they do to to see what the whether an organization is meeting the security compliance right so one of the things they do is scan everybody thinks oh security control assessor they just scan no they don&#39;t they they scan that yes that&#39;s one of the things they use they that they do they do use those tools like nessus or whatever so you definitely put that on your resume but they also interview people they&#39;ll go to an organization one of the biggest things they do actually is interview people they go around they ask questions about the security of the system so you want to put those kinds of skills like yeah i i talk to clients and i i have to talk to clients about the security features of this system to make sure that we are in compliance with our organization&#39;s policy boom you can use those exact words on your resume they want to know that you if you have those skills that&#39;s a real good thing to to know um another thing that you can can talk about is you implementing security features if you have worked on the help desk you have definitely implemented security features you have for sure implemented security features you&#39;ve you&#39;ve um if you&#39;ve ever put in username password if you&#39;ve ever put in a multi-factor authentication if you&#39;ve ever installed multi-factor authentication if you&#39;ve ever uh i don&#39;t know updated sick virus signatures if you&#39;ve updated a system hot fixes patches version releases if you&#39;ve ever done any of that all that stuff should be on your resume implementation of security controls is very important because essentially if you&#39;re a security assessor especially if you&#39;re a technical security assessor and you&#39;ve never implemented security controls how how in the world are you going to know what to even look for you know so you want to put those things on your resume so what i&#39;m saying to you if you happen to be watching this video ever is that you want to take your current resume i&#39;m assuming you&#39;re in federal government because you said usmc and you have a top secret clearance take your current experience and explain that you have helped write write process procedures before i know it sounds like a like who cares like yeah i wrote a procedure a year ago you know like in your mind it&#39;s like a small thing but risk management framework that that&#39;s you actually helped in you without knowing it you have helped the risk management framework process by creating that document because we need those documents to say hey see what we&#39;ve got here we&#39;ve got these procedures we&#39;ve got these policies we&#39;ve got this we&#39;ve got that sometimes we reference those in our actual system security plan so i hope that you will take that as a word of advice something that i wish somebody would have told me many years ago and there you go let me move on to the next thing here um i think that that is about yeah i gotta actually get going here i got a party to go to um okay i&#39;ll read a couple more of these um i read i read a system security plan wait let me back up here back up back back back okay sas nino says what would you suggest for a small organization who probably can&#39;t afford to rely on a high end database to develop their ssp um yeah that&#39;s a great question sauce like i would say if you&#39;re a small organization like if you only have say 20 systems you know and you have like basically one program management system like you only have one package to do and it has 20 systems on it yeah that that&#39;s probably just a document that&#39;s probably just a doc that you can download from my site or somewhere else and then just modify that word doc and then and then you&#39;re good so what i was referring to when i say you know it&#39;s not a good idea to do i&#39;m talking about a thousand page documents and those are those are normally because they&#39;re the organization has so many computers and so many controls you have to meet right and there&#39;s servers and these servers have a server client relationship with these end devices and you&#39;ve got another server that manages all the access control like all of those are one system and and a hundred different people have access to all these systems and just that&#39;s why it gets really long if you have a small organization and you have like one computer i&#39;ve i&#39;ve actually done system security plans for one computer we&#39;re not going to set up a database with a backend for one system and that needs uh a system security plan we&#39;re not no so yet to answer your question for that you could just use a word document or an excel spreadsheet then that would be fine and then you could just supplement it with any kind of like oh here&#39;s the scan you know attach it to the document yeah that&#39;s fine zip it all up and boom you have a package yeah so that that&#39;s what i would recommend i&#39;ve done them for two three system like this this is a very important system but it&#39;s a standalone device and it&#39;s got five systems on it yeah that&#39;s that&#39;s a that&#39;s a doc or or an excel spreadsheet right there and and that&#39;s that might be 30 pages long you know if if it&#39;s 50 pages you know you you&#39;ve put you&#39;ve stuffed a lot of extra stuff in there so so yeah you you totally could do that for a small system um i read a system security plan of a thousand pages for a company i read a system security plan for of a thousand pages for my for a company the company said i was the first one to fully to fully read it i&#39;m ocd i put page numbers uh for my questions that yeah that&#39;s that&#39;s good man that&#39;s that&#39;s really good i what i normally i mean actually as a system security person the only people insane enough to actually go through these is us because we have to we have to go through them that&#39;s our job is to go through them but um what i meant from uh only a crazy person will read it is that a system security plan is some it&#39;s a document that&#39;s not just for cyber security people it&#39;s supposed to be for the whole organization right so your your execs your c level people have to at some point they have to touch this document even to approve it you&#39;ve got privacy people who might have to look at it you&#39;ve got assessors who might each one of those people only wants a small piece of this thing like the c-level execs and the and the managers those guys they only want to see like the all the main stuff with it like okay what&#39;s the overall risk right or what&#39;s my residual risk what what&#39;s my uh let me see the plan of action the milestone that&#39;s giving us problems they only want to see that one part that&#39;s causing grief right if everything if if they&#39;ve got the go-ahead from the team they&#39;re probably going to just rubber snap it sign off and then they&#39;re done read the executive summary boom go off to the next topic you know and then you&#39;re who else reads it um your technical people they&#39;re not reading it i can tell you that for sure like if they&#39;re the firewall guy they&#39;re reading probably no part of that thing you know it&#39;s us who has to read it because we have to go through each one of the system security controls and we have to make sure all the um the eyes are dotted and the t&#39;s are crossed you know so we have to write it and we have to of course read it so and unfortunately a lot of times we&#39;re the only ones who actually read the all the way through and assessors aren&#39;t even going to read it they&#39;re just looking for prop mistakes which are easy to find um let me see professor black ops confirmed yes we did a spreadsheet um and grind it out yeah it sucks it&#39;s for a small company yeah i agree that&#39;s exactly um he says sauce nino says currently assisting a company with being nist 171 compliant everything is in word documents in excel spreadsheets yeah if it&#39;s a small company i can see that is that that must be for um what&#39;s 171 is that um continuous monitoring or am i wrong what is that uh time for me to learn something new 171 compliance hmm oh okay okay holy crap just got a little curious on that one okay um all right so guys i gotta get out of here thanks a lot thank you guys for watching appreciate it it&#39;s good to talk to other professionals about this kind of stuff i mean it&#39;s not really a lot of people talking about it so just us um all right guys i&#39;m gonna let this go i got to i got a bounce um got a place to be but uh hopefully i can do this next week and oh by the way 171 deals with securing cui thank you sir thank you for that information learn something new every day i&#39;m

testing one two testing one two um so hey guys welcome to convo courses my name is bruce and i&amp;#39;m going to be answering a couple questions uh about risk management framework cyber security type stuff information technology anything i can answer and i&amp;#39;m starting off with uh some questions that i received on my channel here from jackie o who says are you are you able to share a complete example would you like would like to know what acceptable what an acceptable deliverable ssp looks like you mentioned you&amp;#39;d share a copy in the section below so um so in order i i think maybe i might have mistakenly not put the link in there but if you go to convo courses i have a breakdown of how to put together an acceptable package what are all the steps that go into creating a system security plan for the nist so but what i can do for you jackie and for anybody else who is wanting to see what a system security plan looks like i can give you an example so the thing is an acceptable deliverable for an ssp that&amp;#39;s what you wanted to know would like to know what an acceptable deliverable for ssp looks like okay let&amp;#39;s let&amp;#39;s put this in context what i want to do is first of all i want to show you what for those of you who might not know you might need some framework here some context to know exactly what we&amp;#39;re talking about we&amp;#39;re talking about a system security plan a system security plan is a comprehensive document that explains the security posture of an organization so an organization says hey yeah we&amp;#39;re secure uh yeah we protect these satellites we protect all the data that&amp;#39;s being processed and disseminated and stored uh we you know it&amp;#39;s it&amp;#39;s tracking all the troop movements and all the stuff and it&amp;#39;s secure you know so thing about the federal government is that they don&amp;#39;t take your word for it it has to you have to show evidence that it is secure and and how it&amp;#39;s secure and so the risk management the nist 853 breaks down all the security controls that they that they uh that that you should see to show that you have a certain level of of assurance on your data that means a certain level of confidence that you are protecting the data right so in order to show that what you present is a security pat a authorization package an authorization package consists of a system security plan a plan of action and milestone it can also include a a a assessment report and then artifacts artifacts is like evidence that you have done your scans the evidence that you have backups that are in place and it basically covers all the security controls now an acceptable deliverable for a system security plan delay it really depends on the eye of the beholder what i mean by that is that every organization is going to have what a different definition of what they deem as acceptable for some organizations to prove that you have a a proper backup in place it might be acceptable just to have a screenshot of your most current full backup of your systems for another organization it might be that they want to see the configuration of your backups that they they want to see that you have an incremental backup and they want to see the configurations of your backup system for some for some organizations it might be good enough to just have a policy that you back up the uh so every so often the policy states that the frequency is we do it every wednesday on in may of every year or whatever it is you know whatever it is so every organization is going to be the determining factor they&amp;#39;re the ones who say yeah yes this is good i like this this this is acceptable uh an acceptable evidence so are an acceptable artifact so to answer your questions to answer your question it depends on the organization what is acceptable as a as evidence and for you as an information system security officer as a cyber security expert as a cyber security consultant as a cyber security person it&amp;#39;s your job to figure out what the expectations of the organization is so that&amp;#39;s that&amp;#39;s what you have to do um i know that in in my line of work a lot of times especially in the beginning i would present something that i thought was what the organization wanted to see i would present something that that in my interpretation from my previous jobs i&amp;#39;d say well at my previous job it was good enough just to have a screenshot so i&amp;#39;ll just i&amp;#39;ll just take the screenshot and we&amp;#39;ll we&amp;#39;ll upload that or actually i&amp;#39;ll give you a real world example previous job company a it was fine just to show the policy actually the policy of say the backups if you had the policy there and you we would upload it or even maybe have a link to that the document that talks about the frequency of the backups for the system that was fine they were they were okay with that uh assessors came they looked at it as a yep here&amp;#39;s the document right here your policy says that you guys have this have this backup plan and procedure you have it there you go and then they blessed it and then that was it then i go to another job right i go to company b and and i upload thinking to myself well yeah okay it was good with the other company and this this other organization is a way higher like they have way more important stuff so hey i&amp;#39;m gonna do the same thing i put out a dot the documentation and i put the artifact upload that into uh say emass or whatever it was at the time it wasn&amp;#39;t ems but whatever it was and and said okay here&amp;#39;s the artifact here it is here&amp;#39;s evidence that we our organization is doing the backups and they saw the policy i&amp;#39;m like what is this i&amp;#39;m like it&amp;#39;s the policy no we need evidence this isn&amp;#39;t evidence this is saying that you did it this this procedure says that you guys have conducted the backups but this is not this isn&amp;#39;t what we want and i&amp;#39;m like well okay uh well what you know what do you want like what what kind of evidence very respectfully of course i said well what kind of evidence could you give me examples of what kind of evidence we could bring to the table to show you that we are doing this and they said well maybe a screenshot and give me a screenshot of the ibm backup.exe uh system you know give me that so we that&amp;#39;s what we did we we the moral of the story is you have to figure out what the organization wants now let me give you some further context if you&amp;#39;re confused about this whole thing that i&amp;#39;m talking about artifacts and all this kind of this and that let me show you what we&amp;#39;re talking about here i&amp;#39;m going to show you my screen here what we&amp;#39;re talking about is a system security plan now the system security plan it looks different for every organization all right here&amp;#39;s there&amp;#39;s a there&amp;#39;s a bit of leeway that the risk management framework uh nist 800 series gives you okay so some organizations are still on this what you see here on the screen here is a just a word document this is where i&amp;#39;m at here right here is if you want to follow along is this is uh combocourses.com and you know what i&amp;#39;m going to do is i&amp;#39;m going to find wherever the downloadable is i&amp;#39;m going to make the downloadable free so if you basically if you go on to convo courses logging in is free you&amp;#39;ll see this as a free download if you go to if you&amp;#39;re looking for nist uh iso nist 800 foundations you&amp;#39;ll see is free the downloadables will be this downloadable will be free if i can find it okay so anyway the system security plan looks different at each organization so what you&amp;#39;re seeing here on the screen is a word document version of a system security plan and um let me see where i&amp;#39;m at here yeah okay so this is a video that i&amp;#39;ve done about this particular okay here we go here we go let&amp;#39;s let me just kind of show you a couple things here um so yeah this right here is what&amp;#39;s going to be in that system security plan pretty cumbersome because you&amp;#39;re you&amp;#39;re essentially documenting you&amp;#39;re supposed to document anyway every single system security control and so if you&amp;#39;re doing this in a word document it just gets very very you&amp;#39;re gonna have a a phone book worth of data and it just gets extremely hard to manage because things also change on a regular basis and that&amp;#39;s why some people use something like this xacta exacta is an example one example out of many of a database a searchable database that can hold all the system security controls so there&amp;#39;s exacta there&amp;#39;s uh emass there&amp;#39;s uh and sometimes they&amp;#39;ll have like a homegrown one where it&amp;#39;s just basically uh oracle database or sql database that they put together and um and they just made a searchable database it&amp;#39;s much easier to deal with if you have some kind of a database or a relational database like in xacta what are the archer i think does it rsa archer what other there&amp;#39;s so many other ones out there but this is just one example basically you would put your system security plan and document all the controls in this database rather than doing it on a word document another place that people do it i&amp;#39;ve seen done is on a um a spreadsheet it&amp;#39;s so ridiculously hard to manage a spreadsheet with this much data on it let me let me see if i can find an example of a spreadsheet example of a spread yeah here is one right here this is what we&amp;#39;re looking at here on the screen is a is a spreadsheet that&amp;#39;s been uh a excel spreadsheet that&amp;#39;s been made into a a system security plan it&amp;#39;s just it starts off good it&amp;#39;s very easy to to understand it and you fill it out and it&amp;#39;s like a template and stuff like that but what happens again is that you have so many security controls and they&amp;#39;re being and those security controls change from time to time you got to manage those security controls and on a spreadsheet sometimes it can be it&amp;#39;s first of all it&amp;#39;s very limited you can&amp;#39;t upload files on a spreadsheet you can&amp;#39;t you know you can&amp;#39;t do very comprehensive searches on a spreadsheet you can do some cool stuff with a spreadsheet but it just has some some severe limits so you can do it on whatever the whatever the organization determines um how they determine how they&amp;#39;re going to document all of the security features of the system security uh syste the systems that are managing that are disseminating that are uh processing that are storing that important data you have to document all that stuff so the organization says okay everybody will use this word document here&amp;#39;s the template here&amp;#39;s it&amp;#39;s got our letterhead on it it&amp;#39;s got our symbol of our company and all that kinds of logo and all that kind of stuff on it right or they can say nope we&amp;#39;re going to use spreadsheets that&amp;#39;s what we&amp;#39;ve been using it&amp;#39;s just easier for us and here&amp;#39;s the tabs on the spreadsheet or they can use some kind of a relational database that allows everyone to access it is online and maybe have different role-based uh people who can log in and see different things and manipulate different things and everybody&amp;#39;s collaborated collaborating on say archer or exacto or whatever so that is what a system security plan might look like uh and it&amp;#39;s coming from this document right here which is an 818 nist 818 developing plans for federal systems and if you look at this right here this document this document right here shows you what it&amp;#39;s going what a system security plan should have on it and so here here that part is that part right here um it says a sample information system security plan template all right and uh yeah it&amp;#39;s going to have a categorization of the system the name of the system um and the roles and responsibility and at some point it goes deep dives into all the system security controls themselves and that&amp;#39;s where it just gets super deep and just so much data is being dumped in in that spreadsheet or in that in that uh document that you have and that&amp;#39;s why a relational database is really the a better way to go about it so here&amp;#39;s that document that i that i told you i want to make downloadable i&amp;#39;ll have to come back to this right now because we&amp;#39;re on this live i could probably do this in the background while i&amp;#39;m talking here but um i just wanted to show you a couple more things here&amp;#39;s another downloadable this is a template that&amp;#39;s in a word document and so that&amp;#39;s that&amp;#39;s pretty much it um as far as giving examples a specific example of an artifact that might be in a system security plan that might be acceptable again it really depends on the organization of what is acceptable um but let me see if i can find anything um i might have something what i&amp;#39;m doing is i&amp;#39;m on my actual um training right here to see if i have given out any specific example i believe i have i&amp;#39;m just trying to find it tailor controls documented controls approval um yeah so here let me see if i can all right maybe this will maybe this is one that i could show you so what i&amp;#39;m doing right now is downloading the stakeholders list this is something that goes in the system security plan and it&amp;#39;s just a template that i i don&amp;#39;t think i&amp;#39;ve filled this one out i think i just gave a template just in case somebody wanted to use it for their own organization just one of the things that i have in combo courses if you&amp;#39;re taking the risk management framework it&amp;#39;s of course okay so here&amp;#39;s an example of an artifact you might you might see in a system security plan and all it is is a list of of the people who the stakeholders the people who are responsible in some way on a specific system uh let me see if i can make this a little bit bigger and i&amp;#39;ll show you another one in a second here so yeah there you go it&amp;#39;s just got the title of the person the name the email contact information right there that might be something that you would put into a into a system security plan let me see if i can find another one and there&amp;#39;s other things too there&amp;#39;s like if you if your organization does scans you might prove that hey we&amp;#39;re good we&amp;#39;re we don&amp;#39;t have any vulnerabilities what you might do is is put the results of a nessa scan like if if your organization is doing scans you might do that let me see if i can pull this one up yeah okay here&amp;#39;s another example here&amp;#39;s something i&amp;#39;ve seen on many many different in many different ways uh that are on a in some way shape or form on a system security plan and this one is a hardware software list and this is going to list the host names the ips of course i made all this up now this is real but you you would have location os version the serial numbers the mac addresses and all of these things it of course it&amp;#39;s not going to be three items right if you could have thousands of of items on this list but i&amp;#39;m just giving you an example of what might be acceptable as a artifact it&amp;#39;s ju basically it&amp;#39;s evidence that you have completed a certain task and you meet a certain security control that&amp;#39;s that&amp;#39;s all it is and then here&amp;#39;s the software list and it&amp;#39;s of course going to be way more comprehensive than this if you especially software software lists are crazy huge like ridiculously so huge and nobody&amp;#39;s gonna really really read it you know what i mean so uh yeah so it&amp;#39;s gonna have vendor it&amp;#39;s gonna have software it&amp;#39;s gonna version things like that maybe you might have where where it&amp;#39;s loaded up uh what systems are are uh have this software things like that so those are those are a few examples so i hope that that helps i&amp;#39;m gonna move on to another topic of discussion here while in the background i&amp;#39;ll try to change and make this one this portion some of those downloadables try to make those free all right um i had another question um do you do phone consultations you know on very very rare con occasions i&amp;#39;ll do phone consultations to people who i&amp;#39;ve who&amp;#39;ve been following me for a really long time people i can&amp;#39;t uh who uh who have bought the course and i&amp;#39;ve been we just been talking for many for a long time and so i&amp;#39;ll sometimes do a consultation with them but that&amp;#39;s normally for like resumes and stuff like helping people get jobs and things like that as far as consultations like for your for your organization we&amp;#39;ll have to talk you you need to contact me directly and that&amp;#39;s a whole different i had yes i have done it before my time is very limited so i i can&amp;#39;t always do it you know what i mean but i might know somebody who can though i know several cyber security experts who do the same thing i do and i could if i can&amp;#39;t do it i can pass try to pass the work along to them and they might be able to to do that for a fee of course so yeah contact me what i&amp;#39;ll do is i will have my contact information below and uh and if you contact me i can forward you to the right people let me see if i can find my contact information i could give you if you&amp;#39;re trying to look for a consultation for your organization i might be able to help in that department let me see here where could it be i&amp;#39;ll give you guys that&amp;#39;s if i can actually log in maybe i&amp;#39;ll just go ahead and type my information in there let&amp;#39;s see let&amp;#39;s we&amp;#39;ll just say if you contact me here i&amp;#39;ll put it here it&amp;#39;s cyber aware 2020 all one word at gmail.com if you contact me here and if you have consultation for your organization i you know maybe that&amp;#39;s something i should put up here on my site um it&amp;#39;s just something i don&amp;#39;t advertise every now and then somebody will reach out to me and i&amp;#39;ll i just so happen to be in a place where i can actually help them i have a free time to actually call you know they&amp;#39;ll call me go i&amp;#39;ll go through all of any kind of security questions that they want or go through a jpass or whatever they need me to do and then i&amp;#39;ll get into their system and then help them out but um i i do work full time so you know i can&amp;#39;t always do it so i can pass it off to some other people some other professionals that i know who maybe they have the time to make a little cash on the side or whatever okay so i hope that that helps um let me see i got a question here professor black ops says cyber security for for the people that i have um i have you every use of the grc system to build an ssp um i have you every use of grc system to build an ssp um yeah so the grc systems that i&amp;#39;m familiar with have been like home grown and then uh there&amp;#39;s a archer archer that one i&amp;#39;m pretty familiar with my personally familiar with and uh on those systems you can build out an an entire authentication package on there not just the system security plan just to kind of piggyback on what professor black ops is saying you can build not only the the system security plan with all the evidence if it&amp;#39;s on a database a relational database with the backup storage and all that kind of stuff cloud-based storage or whatever secures cloud-based storage but you could also put the scans like it could track all the scans throughout the network it can track all the hardware software that&amp;#39;s on the network and on the systems uh it could track um any kind of documentation and policies procedures that you have grc systems it means uh governance risk and compliance am i right am i right with that uh professor black ops governance risk and compliance i believe that&amp;#39;s what grc stands for and that&amp;#39;s what they track they track they can track vulnerabilities they can track governance throughout your organization ip addresses what systems you have what software you have just all kinds of stuff let me see oh have you ever built uh have you ever used any grc systems to build an ssp yeah absolutely yeah absolutely the ones there was one called eidtr that i used way back in the day on the air force systems this it&amp;#39;s gone now they don&amp;#39;t they don&amp;#39;t use that anymore i think they replaced it with emass or something like that the emas i&amp;#39;ve never actually had hands-on with emass i&amp;#39;m very familiar with what it does because i&amp;#39;ve had to work with it uh on several occasions where i&amp;#39;m uploading data to it but i personally don&amp;#39;t have direct i&amp;#39;ve never configured a emass system or anything but have put data on them um archer is a grc system with s uh system security plans on it um that&amp;#39;s a really good one what other systems have i worked on some home-grown ones made by different um three-letter agencies that i probably can&amp;#39;t talk about um damn i never work with xacta but that one does is i believe that&amp;#39;s a grc system um man there&amp;#39;s so many different ones so yeah yeah but to answer your question yes i i have worked with and that&amp;#39;s in my opinion the best way to work with a system security plan since there&amp;#39;s so much data and it&amp;#39;s so deep it&amp;#39;s it&amp;#39;s so many things you have to do with it in my opinion it&amp;#39;s not word documents those are the file gets super big to where you can&amp;#39;t sometimes you can&amp;#39;t send it it gets so huge that you gotta break it into parts uh not so yeah dot dot dot is not good um and that&amp;#39;s the same thing with excel excel is even more limiting i mean it allows you to search and things like that and it seems cool but it&amp;#39;s really not and because especially if you&amp;#39;re uploading artifacts like screenshots or scans and stuff like that and it just it can&amp;#39;t handle that stuff the best way in my opinion has been a database relational databases with a with a storage back end that allows you to do everything you need to do and upload files and all that kind of stuff so yes i have worked with grc systems and built system security plans on them and in my opinion those are the best ones to use the ones with a database with a huge storage backend okay let me see here um i am going to look at another question here can you look at my resume finished some months ago looking for a job okay becca um if you happen to see this video please please email me directly and uh and i can help you out and um the best way for me to do this is if i can do it live and what i do with those is i&amp;#39;ll change your personal information and then i will do it live that&amp;#39;s that&amp;#39;s the best way for me to do it the last system security plan i did was 1200 pages yeah yeah i mean they just get it&amp;#39;s like a phone book after a while it doesn&amp;#39;t after a while doesn&amp;#39;t make sense it just does it just doesn&amp;#39;t make any sense anymore to put it in a word doc because nobody&amp;#39;s gonna nobody in their right mind is gonna read that entire thing i mean it just you see the thing after a while it becomes it&amp;#39;s a database essentially right you&amp;#39;re putting a database on a dot doc and it just doesn&amp;#39;t make sense you you use a system security plan to search for a specific thing like you&amp;#39;re searching for a specific thing i mean yeah there&amp;#39;s the description of the system and there&amp;#39;s the i don&amp;#39;t know the mapping or whatever of the system it lists all security controls but when you&amp;#39;re talking about uploading actual artifacts like lists of hardware or lists of software i mean that&amp;#39;s where it just gets crazy you know and you&amp;#39;re you&amp;#39;re relying on scores of people throughout the organization to give you more and more information and uh yeah twelve twelve hundreds is is light i mean i there&amp;#39;s some there&amp;#39;s some that i&amp;#39;ve worked on that had essentially the main part of it had 1200 pages but the other they had we had to break it into different books because because the say the the hardware list and the software lists are so big that the those two things uh take up so much space and so it really needs to just be a database you know government projects just want their pages for the ato for the authority to operate yeah so true so that&amp;#39;s why they get so so big because they want evidence that you basically are you&amp;#39;re taking a picture of the posture of the of the system securities posture what is the security posture of this and what that means in layman&amp;#39;s terms is what is the status how secure is your system right now right that&amp;#39;s what the documentation is meant to do it&amp;#39;s supposed to take a it&amp;#39;s a picture very detailed picture of what the status of the status of the security is right now right it changes over time like it&amp;#39;s constantly actually changing so that document the reason why i say a 1200 page document or more of a of a system security plan is ridiculous because it it&amp;#39;s constantly changing like this week you have uh this version of windows and then next week you have another guess what your security package has to change technically it has to change like if you if you have different software operating system on there it technically you have to go through it and you got to change those little things and so all those copies you made and all those trees you burned down to get these to print out this phone book worth of of paper to give now that all has to change so yeah it&amp;#39;s better on a database that&amp;#39;s just my my humble opinion about it haven&amp;#39;t done this for a while um let me see here um i asked a couple more questions and i i have to get out of here i actually want to do a really long session today but i actually have to go somewhere um one love usmc says hey bruce i have a top secret clearance and i have passed the security plus along with taking a risk management class and now i&amp;#39;m looking to be a security uh control assessor so for this you usmc i&amp;#39;m assuming you&amp;#39;re in the military in the marine corps if you have a clearance and you&amp;#39;ve done some of this work before i would highly recommend that you change you you change your resume to reflect your risk management framework experience and any kind of security control implementation that you&amp;#39;ve done and if you&amp;#39;ve ever assisted in risk management if you&amp;#39;ve ever assisted with security control assessing uh you should put that on your resume and what i mean by that a lot of people who are in cyber security or in it don&amp;#39;t believe that they have done any risk management framework or any kind of security compliance or any kind of security control assessing before but actually you have if you&amp;#39;ve done help desk if you&amp;#39;ve worked if you were the net network engineer guy if you were done firewalls if you&amp;#39;ve done if you&amp;#39;ve done any if you touched any of these systems especially in a large to medium environment more than likely you have some sort of risk management experience experience now a security com i should say security compliance experience because there&amp;#39;s many different security uh compliance frameworks if you work in the federal government which i&amp;#39;m assuming you have because you if you if you have a ts clearance and you usmc i&amp;#39;m assuming you&amp;#39;re a vet you&amp;#39;re in the military act duty or whatever um i&amp;#39;m assuming you have federal experience which means you have some risk management framework experience and let me explain what i mean by that so if you have ever written a a procedure for your organization or some kind of a wiki page like a work instruction page if you&amp;#39;ve ever assisted with a policy if you&amp;#39;ve ever written anything about the security posture of a system then the security status of a system and that also includes if you&amp;#39;ve ever done any kind of scans those are can be worded to show how you&amp;#39;ve assisted the risk management framework process the risk management framework uh package because you don&amp;#39;t know that you&amp;#39;re helping but you are you if you&amp;#39;re working on the help desk and you had to do us a procedure let me just explain what i mean by that if you&amp;#39;ve had to write a procedure a work instruction on how to say i don&amp;#39;t know upload the gpo files on a system uh because all the other people on helpdesk need to know that information you wrote you helped write it or you wrote it yourself or whatever so how that helps risk management framework and security compliance is that me as an iso as an information system security officer i actually need that document because that document is part of our package we might reference it we might not upload it into our package but we might just reference it and say yeah so one of the ways that we do say access control ac2 for example which is access management i believe uh is that we control it via a gpo and we have a procedure procedure xyz that was probably written by yourself uh it explains how we control access to these endpoint devices and so you would want to put that in your resume like if you&amp;#39;ve ever written any kind of documentation for work instruction all those things are part of our system security plan and a part of our our total uh posture of our of our environment so you can actually say it depends on how you word it that you&amp;#39;ve written a document that has assisted in uh the risk management documentation so that might be a bit of a stretch but here&amp;#39;s here i can give you a couple another uh another example security control assessor how could you say that you have assisted with security control assessments well if you&amp;#39;ve ever done a risk if you&amp;#39;ve ever done a scan using uh nessus or or whatever the flavor of the day scanner is in your environment you can you can say hey you know that you have helped to assess the vulnerabilities on the network because that&amp;#39;s exactly what you&amp;#39;re doing when you&amp;#39;re running a scan one of the tools the main tools that security control assessors use is a scanner that&amp;#39;s one of the things that they use so they and by the way security control assessors don&amp;#39;t just scan they also have to look at documentation so if you&amp;#39;ve ever been asked to look at a policy to make sure that it&amp;#39;s that is correct like technically correct if you&amp;#39;ve ever have ever had to look at a procedure and see that it was technically correct that is an assessment you&amp;#39;re you&amp;#39;re assessing whether or not this is this documentation that addresses a specific security feature on a system is accurate and you are com you are doing a self-assessment you are assisting with a self-assessment within the organization you could sounds like a stretch but i&amp;#39;m just telling you the tools of the trade for a security control assessor are scanning our scanners another thing that they do is they uh they look at documentation and they also conduct interviews and so if you&amp;#39;ve you&amp;#39;re on help desk at what point would you have to conduct an interview let me see um when would you have to conduct help me out here when have you ever had to what do you have to talk to people when you&amp;#39;re on the help desk you have to talk to you have to sit down and ask them specific questions about say security features you might have to sit down with a with a customer at the help desk if they bring a thumbnail a thumb drive or something like you have they ever brought a thumb drive to work or something like that or if they&amp;#39;ve ever have they read their latest um procedure on locking down their system or something like that you might want to put in there that you have had to interview certain certain people on the help desk because uh you specifically bitlocker was was an issue and so you had to go to every single person on the floor and say listen uh i need to know about what&amp;#39;s going on with your bit locker have you ever have you done this procedure that you&amp;#39;re supposed to do okay cool all right have you uh have you turned your system off we you need to turn it off before you leave because it has to reboot in order to update right you are interviewing this person with security questions you can put something like that on your resume and the reason here&amp;#39;s why okay and it sounds crazy but here&amp;#39;s why when you&amp;#39;re a security control assessor you have to be able to interview people that&amp;#39;s one of the things that that&amp;#39;s one of the things that they do to to see what the whether an organization is meeting the security compliance right so one of the things they do is scan everybody thinks oh security control assessor they just scan no they don&amp;#39;t they they scan that yes that&amp;#39;s one of the things they use they that they do they do use those tools like nessus or whatever so you definitely put that on your resume but they also interview people they&amp;#39;ll go to an organization one of the biggest things they do actually is interview people they go around they ask questions about the security of the system so you want to put those kinds of skills like yeah i i talk to clients and i i have to talk to clients about the security features of this system to make sure that we are in compliance with our organization&amp;#39;s policy boom you can use those exact words on your resume they want to know that you if you have those skills that&amp;#39;s a real good thing to to know um another thing that you can can talk about is you implementing security features if you have worked on the help desk you have definitely implemented security features you have for sure implemented security features you&amp;#39;ve you&amp;#39;ve um if you&amp;#39;ve ever put in username password if you&amp;#39;ve ever put in a multi-factor authentication if you&amp;#39;ve ever installed multi-factor authentication if you&amp;#39;ve ever uh i don&amp;#39;t know updated sick virus signatures if you&amp;#39;ve updated a system hot fixes patches version releases if you&amp;#39;ve ever done any of that all that stuff should be on your resume implementation of security controls is very important because essentially if you&amp;#39;re a security assessor especially if you&amp;#39;re a technical security assessor and you&amp;#39;ve never implemented security controls how how in the world are you going to know what to even look for you know so you want to put those things on your resume so what i&amp;#39;m saying to you if you happen to be watching this video ever is that you want to take your current resume i&amp;#39;m assuming you&amp;#39;re in federal government because you said usmc and you have a top secret clearance take your current experience and explain that you have helped write write process procedures before i know it sounds like a like who cares like yeah i wrote a procedure a year ago you know like in your mind it&amp;#39;s like a small thing but risk management framework that that&amp;#39;s you actually helped in you without knowing it you have helped the risk management framework process by creating that document because we need those documents to say hey see what we&amp;#39;ve got here we&amp;#39;ve got these procedures we&amp;#39;ve got these policies we&amp;#39;ve got this we&amp;#39;ve got that sometimes we reference those in our actual system security plan so i hope that you will take that as a word of advice something that i wish somebody would have told me many years ago and there you go let me move on to the next thing here um i think that that is about yeah i gotta actually get going here i got a party to go to um okay i&amp;#39;ll read a couple more of these um i read i read a system security plan wait let me back up here back up back back back okay sas nino says what would you suggest for a small organization who probably can&amp;#39;t afford to rely on a high end database to develop their ssp um yeah that&amp;#39;s a great question sauce like i would say if you&amp;#39;re a small organization like if you only have say 20 systems you know and you have like basically one program management system like you only have one package to do and it has 20 systems on it yeah that that&amp;#39;s probably just a document that&amp;#39;s probably just a doc that you can download from my site or somewhere else and then just modify that word doc and then and then you&amp;#39;re good so what i was referring to when i say you know it&amp;#39;s not a good idea to do i&amp;#39;m talking about a thousand page documents and those are those are normally because they&amp;#39;re the organization has so many computers and so many controls you have to meet right and there&amp;#39;s servers and these servers have a server client relationship with these end devices and you&amp;#39;ve got another server that manages all the access control like all of those are one system and and a hundred different people have access to all these systems and just that&amp;#39;s why it gets really long if you have a small organization and you have like one computer i&amp;#39;ve i&amp;#39;ve actually done system security plans for one computer we&amp;#39;re not going to set up a database with a backend for one system and that needs uh a system security plan we&amp;#39;re not no so yet to answer your question for that you could just use a word document or an excel spreadsheet then that would be fine and then you could just supplement it with any kind of like oh here&amp;#39;s the scan you know attach it to the document yeah that&amp;#39;s fine zip it all up and boom you have a package yeah so that that&amp;#39;s what i would recommend i&amp;#39;ve done them for two three system like this this is a very important system but it&amp;#39;s a standalone device and it&amp;#39;s got five systems on it yeah that&amp;#39;s that&amp;#39;s a that&amp;#39;s a doc or or an excel spreadsheet right there and and that&amp;#39;s that might be 30 pages long you know if if it&amp;#39;s 50 pages you know you you&amp;#39;ve put you&amp;#39;ve stuffed a lot of extra stuff in there so so yeah you you totally could do that for a small system um i read a system security plan of a thousand pages for a company i read a system security plan for of a thousand pages for my for a company the company said i was the first one to fully to fully read it i&amp;#39;m ocd i put page numbers uh for my questions that yeah that&amp;#39;s that&amp;#39;s good man that&amp;#39;s that&amp;#39;s really good i what i normally i mean actually as a system security person the only people insane enough to actually go through these is us because we have to we have to go through them that&amp;#39;s our job is to go through them but um what i meant from uh only a crazy person will read it is that a system security plan is some it&amp;#39;s a document that&amp;#39;s not just for cyber security people it&amp;#39;s supposed to be for the whole organization right so your your execs your c level people have to at some point they have to touch this document even to approve it you&amp;#39;ve got privacy people who might have to look at it you&amp;#39;ve got assessors who might each one of those people only wants a small piece of this thing like the c-level execs and the and the managers those guys they only want to see like the all the main stuff with it like okay what&amp;#39;s the overall risk right or what&amp;#39;s my residual risk what what&amp;#39;s my uh let me see the plan of action the milestone that&amp;#39;s giving us problems they only want to see that one part that&amp;#39;s causing grief right if everything if if they&amp;#39;ve got the go-ahead from the team they&amp;#39;re probably going to just rubber snap it sign off and then they&amp;#39;re done read the executive summary boom go off to the next topic you know and then you&amp;#39;re who else reads it um your technical people they&amp;#39;re not reading it i can tell you that for sure like if they&amp;#39;re the firewall guy they&amp;#39;re reading probably no part of that thing you know it&amp;#39;s us who has to read it because we have to go through each one of the system security controls and we have to make sure all the um the eyes are dotted and the t&amp;#39;s are crossed you know so we have to write it and we have to of course read it so and unfortunately a lot of times we&amp;#39;re the only ones who actually read the all the way through and assessors aren&amp;#39;t even going to read it they&amp;#39;re just looking for prop mistakes which are easy to find um let me see professor black ops confirmed yes we did a spreadsheet um and grind it out yeah it sucks it&amp;#39;s for a small company yeah i agree that&amp;#39;s exactly um he says sauce nino says currently assisting a company with being nist 171 compliant everything is in word documents in excel spreadsheets yeah if it&amp;#39;s a small company i can see that is that that must be for um what&amp;#39;s 171 is that um continuous monitoring or am i wrong what is that uh time for me to learn something new 171 compliance hmm oh okay okay holy crap just got a little curious on that one okay um all right so guys i gotta get out of here thanks a lot thank you guys for watching appreciate it it&amp;#39;s good to talk to other professionals about this kind of stuff i mean it&amp;#39;s not really a lot of people talking about it so just us um all right guys i&amp;#39;m gonna let this go i got to i got a bounce um got a place to be but uh hopefully i can do this next week and oh by the way 171 deals with securing cui thank you sir thank you for that information learn something new every day i&amp;#39;m

Transcript for:Risk Management Framework and System Security Plans

Transcript for:
Risk Management Framework and System Security Plans