okay um hi everyone welcome to today's session so far um we've cover a lot right um we've categorize an information system we learn we identify all the information types we got the highest water mark for that system we even did an adjusted um impact level for our system then we've gone through um rep four and rep five with rep four being obsolete so um you might still be working for organization that St to the rep 4 need 853 rep 4 so we've shown how we can get a security control Baseline after we categorized an information system but the next question here is what happened next we've been doing all of this but we've not introduced any documentation yet so are you just to do that and just keep it in your memory what are you going to do with all the information that we have um um um um work on so far so we want to be able to document okay and if an organization is adhering to the face M fed it doesn't even matter even when you work for a private organization with your another of GRC they don't have any form of documentation fair enough GC is so easy that you can go out the you can go to the internet you know get go to Federal Marketplace DHS have a lot of template online once you can do your research you can document or actually do some of those um template and then customizes pay your organization need I'm saying so because I've work with a private organization where I have to you know um come up with a customized template so you too you can do same okay so the very first documentation that we're going to talk on has is called SSP that's system security plan if you he the name system security plan is just a Bible for that system it has everything about that system okay and as of now we also make it a habit to know to learn how to develop our own policy right and since we have just categor information system we have the system description fair enough this is YouTube but I register student that's something that they've work on hands on they were able have a system um um um um description with the architectural diagram everything so they were able to added by all the information types that your system have I think they have close to like 21 information types if I'm not mistaken they were able to adjust some impact levels and they even know they also came out with their highest Watermark and their system is a high system and now they are currently working on security controls after that they'll also learn how to start developing you know their SSP you know everything that we've done both you know the um the security aspect as well as the Privacy aspect aspect but let me share my screen let's quickly go over the slide together all right so system security plan a comprehensive overview for beginner I still believe you know they already have working professional still I believe you all will still benefit you know from our videos first it said an SSP applins how an information system security controls are implemented assess and maintain it documents the security posture of the system do you get like everything about that system you have it in your SSV it's a very um confidential document it's not a document that anyone can easily get access to no it's a highly sensitive information because once you lay your hands on this particular doct you will literally knows everything about that system about all their controls especially their controls they have a situation where controls have not been implemented then you really see the risks that you know they are exposed to and even give you the progress of that system at what level is that system is at the level of categorization at the level of selection of control are they implemented security control so this is a living um um um um artifact right it's a living document where anything that you do you make sure you start updating and developing and learn how to develop an SSP okay and that's why I talk about controls are being implemented you have to talk about the control sta is this is something that we're also going to cover in future videos you know talk about the control um um um statis is if how the cont they been access or not and how those controls are been maintained so it covers everything about your information um that information system for example let just say you maybe have an information system you know where you at a hospitalit one of their information system that collects patient sensitive information right and they say an SSP online how patient data is protected and what security measures are in place to ensure confidentiality as well as integrity and let's not also forget the availability aspect but what are some of like the purpose of an SSP first you want to ensure system meets security requirements very important right security is a big thing not only security but also the Privacy requirements it also guide system owner in implementing security controls and provide transparency for audit tools our audit as an assessment so also provide guidance for system owner have the Implement security control I going to see I have a template for the Department of Homeland Security you have a session that you have to document your control you have to put a control implementation statement how that cont be implemented and even give you the statistics of the controls because once you go there you check to see if that control has been implemented or not if it's planned then you need to know that you have to go do it right and also one important aspect is the fact that it provides transparency for audits as well as assessment like in my last row actually one of the thing I did I have to let an annual assessment right you have the assessor or audit Tools pering in every year to assess the security posture as a matter of fact I did manage like two very hetic or heavy um um measor applications so being able to do the annual audit right as like I was EO anywhere so when they are coming the very first document they're going to request is a SSP your SSP has all the information and that even reminds me also when you taking your role or interviews one of the thing that you're going to be doing even like your day-to-day activities at times you're also going to be reviewing and updating security policies right for example I was a isil when I left they have to update that document to have like the most current information right point of contact because imagine a situation where if I'm there I left and nobody updated and when they is I mean the assessor comes in you know when it comes guess what they want to call my number they want to email me but of course I've left the organization right and this is again important because once they are able to go through the um the SSP it literally tells you everything about that system okay also a company uses an SSV to prove compliance with different regulations like GDP Hippa and that's why I keep saying that it doesn't matter if you are adhering to fisma or fed F this is a document that anybody can adopt because it helps you bring everything together right you have a UniFi approach where you're able to document stuff you're able to see the actual rates you able to remediate them you are able to just make sure everything looks good right so SSP is just one important document also another important section you know your SSP has to do with a system description as I said as student we have a system description that they work on you should be able to put the name of that system the ID of that system and each and every system have acronyms also put the acronyms of that system and then you also want to put the system descriptions descriptions like here was said managing customer records for e-commerce platforms or just have a diagr that literally um you guys can just um picture the kind of system is right then again remember you also have the session of your categorization aspect that we spoke already as you have to categorize it based on the impact levels and you need to understand that you are categorizing based on each and every component of the C that the security objectives right so if your assistant has over nine information types nine times how much 9 * three because you have you know three information like literally you have to take each information type get a impact level of confidentiality integ availability and then check is there do we want to adjust it do we want to tell it if yes we have a rational behind it and then you go to the next one so you have to do like that for all your information types but if you have just one information type then you just have to do it for the three security objectives that this year each year and ex here is that a payment processing system might have a high confidentiality impact uring sensitive financial data is protected where you need to ensure that they have like access controls right because in a situation where you know you collect a lot of sensitive information you want to make sure you have the Neally security controls another session that you're also going to find your SSP has to do with the roles and responsibilities right different roles responsibility put them remember I told you about my roles for examp because I was ISO I have to leave this annual assessment where Auditors are coming or assess are coming I should be the point of contact to give them all the different document that they need and bear with you before they even come I must have reviewed all our policies to make sure they up to date review review review and updated those policy make sure they sign and then also collect the ne artifacts from the different stward you know I think we use J then so make sure I'm tracking progress people have to like bring all the different artifacts it's an artifact that is missing of course you want to get those for example I have to let a tabletop exercise for you know um disaster recovery for both disaster inent respond and those were the artifact that they also needed so you need to make sure you do all of those before the even comes okay if I told you are the manager right if you're the manager you can do that but if you are just a mid level then of course you can see help in gathering or putting together all the different artifacts and then security controls but the book of this document actually has you security controls right so imagine a system for example like the system that our student have worked on it's a high system a high system by default you have a lot and plenty of security controls you have system that has over 200 2,000 controls so just imagine how big your SSP is and you have SSP that might range from 200 pages to 800 Pages 400 600 you know depending again on the criticality and sensitivity of the system and bear with you that organization can also go with a baseline control but Baseline controls but they can still tell it to add additional control that's not necessarily you know a baseline control it's Sol depend on them you know but whatever the case is then you realize that the SSP is being full with a lot a lot of security controls and that's why I still let the emphasis and tell people if you understand security controls but very well not just having all security control I know what security controls are but be able to understand get some time to understand security control very well then you are you'll be very good as far as GRC is concerned so let's go to this template that I already downloaded it online that you can just go to Google I did it from the Department of Homeland Security you can also you see that a DHS or you can also go to Federal Marketplace you can just see like you go to the resource um section can download some of their template there but looking at this let just say that let quickly go over it oh it's not responding okay so do you see first um you have to come remember when I said that when I let the annual um assessment I have to review and update that policy so each time you are reviewing you have to come to the revision history and make sure you update it even if nothing has changed see you want to put the DAT that you review right that to show that the document at least it was reviewed and updated or it was reviewed even if nothing happened so your revision history is going to tell you that so this is something that again as as student will be developing this policy even if you are not taking training with us you can also make it your Habit to just go there you can create maybe an a system description then just learn how you can um tell this to fit your organization need okay and the preface is just talk about the department of security but let's let's go down and see what we have and just even going through the table of content so just imagine from here to somewhere year you know it just has everything about the system the boundary you know architectural diagram rul are responsibility the atto status use like um authorization to operate hardware and software components system description and so on but if you look at it now from here that is from page 15 right here because this is control from page 15 all the way to page page 250 they are all security controls so you see you just see what I was I've been telling you all everything again in this document again once you've put everything by the back the request of the document are all security controls I going to see that shortly okay so system identification first identify your system the system security plan overview whatever put your definition system name of course you have to put a system name you have to put the fman ID the vision as well as the abbreviation of acronyms information categorizations you have to like fed that do you see we have it based on the impact level that's the impact level of high you know for example you know what the impact level high high high low low low or whatever you have to do it and come up with the highest waterm Mark and then you have to also identify all the information types right so information type you define them you classify and then you see a justification you have like provisional level if there's any form of um um adjustment you want to come up with the um rational about um uh you have to come up with a rationale for that adjustment right and then also talk of responsible organizations have person and point of contact do you see the point that's why I said this is something that this document must it's a living artifact it's a living document it must always have the most current information so if somebody leaves you want to make sure it's being review and updated that person information is been remot updated with the most current information right and that's why you have to put it you know address name phone number and email make sure those are also documented and then system operation under 1.5 you want to tell us what's the operation of this system where are we at the level of the risk management life cycle right currently our think that we also want to go we just said we like on the um phase one that's the categorization of information system because this is a draft document we are still developing we have to categorize it we need to put that information type we need to tell it to have our ID and everything and then we need to start identifying once we put everything all the different roles and responsibility if there's some form of interface or integration with other system the architectural diagram the um um data flow and like literally everything once we have that you know documented software and Hardware component if I thought there are any then you want to tell us the state of the system for example if system has the fing authorization status um you know at this point okay this one operation status we as still I know phase one that's a categorization of information system authorization statute has it received at yet no not yet authorized so put them not yet authorized because this is still a document that we are developing right system operation you know identify who owns the system and who operates the system again we talk about that all the different roles and responsibility the system owner or the different STS as well as the stakeholders then this session you have to put the system description Mission authorization boundary you know how there form I think I I spoke on that spoke on that already there's some form of um external or integration with other systems you want to make sure it's being documented and then you have the system users all the different users and the rules you also want to make sure it's been documented architectural diagram you see you got to put it the following architectural drawing provide a visual description of the measure system Hardware element and constituent so make sure it goes there and what type of system is it is it a measor application or is it a minor application so you just going to like um document and choose the section that fits your system right and then Hardware virtual machine software firmware and description if you guys are using any of those then you also want to make sure the version the brand is being documented and the version and everything about that particular device so there see an SSP again is just that document that document it let it tells you everything that you all do you know and Christian SLK um pki tell you who issued a certificate for your system right right like when is the certificate going to expired do you even see AAL devices you need to have the host name you know the modation as well as a location so everything again about your system you just going to document and that not withstanding if we can just go so this is something that you all can take some time and just go over it and just try understand the different session and to come to the realization that an SSP is one most important document that each and every information system must have and remember it's not a document where the organization have information system so if that organization have over 100 systems so you must make sure you have over 100 SSP that's just one and think of all the other SSP that going to develop as time progresses okay another one is that any mobile code Port protocol Services even a privacy consideration so you also want to make sure you document if this system collects a lot of Pi where a p is mandatory excuse me it should be documented do you see even the applicable applicable laws no laws that you all ad held to make sure they are all documented right there and you see this point and that's why I said if I think of page Pages 15 to Pages 250 it has to do with security controls right both security and privacy controls not just security and if you look at this document the template was actually developed the 8004 because we last last class we spoke about the comparative analysis between ref and five but this already you see assess control policy and procedure the organization and now ref five is more outcome based and of course anyone can um not necessarily um pinpointing or defining rules that have to satisfy that particular control but anyone with need your organization so it's more action oriented okay and they just copy the description or the summary from the rep 4 that's the N 853 rep 4 and pasted it here but one thing that you're going to realize as time progresses and something that we're going to work on each time you come now your control for example Das One controls or-1 controls a policy and procedure that's AC D AC d-1 you have to Define H and every piece or component of this AC right for example they said develop document de imate organization defined person or role who in your organization is responsible for developing documenting and deting the asset control policy now you need to Define that person the iso for example the iso is responsible for developing documenting as well as disting the access control policy and then each time you check also you have to Define each and every component you also have like the purpose the asset control actually has a purpose purpose address scope respons responsibilities and all that and you know the other stuff that we have there and then we talk about review and update you know when is this document being reviewed and updated is it an annual something so everything you get so you have to make sure you satisfy this particular control because if assess are coming in if they accessing or maybe you are also accessor within your organization these are some of the things that you want to check and this portion is going to come handy especially we start talking about implementation statement because each and every P would need to have an implementation statement so you have the implementation narrative then you have implementation statement that actually speak to that particular P of that control for example the a part need to have an implementation statement one two need to have an implementation statement B need to have an implementation statement as well as one and two under B you know so each and everyone needs to have an implementation statement and then when we come we need to also go to the status right that's where you want to come Implement is it implemented is it not implemented is it plan so give me the status of this particular controls and that's why it talk about transparency because say um the difference to by the time you document this you count to this section on your SSP you should be able to tell if this control is been satisfied or not or maybe it's plan and each time you put plan a poem I think that's another document that we're going to cover a poem is also being developed where you need to track the progress of the work give me a time frame when do you um um was the expected time when your organization or the respons responsible Personnel will have to implement this particular security controls right so each time you are documenting this again it's been tracked and if you work in an organization where they are so big on agile methodology then this is something that of course they have to incorporate in all their spring we have the pr the product manages can also follow up to make sure that the controls are being implemented and we are also you know meeting our poem um expectation or expected timeline okay so likewise if you see a you go to like account management do you see that count account management is huge it's a it's so long so if you look like how many piece we have here so you are coming year for your SSP again it's just what you have in your policy because youve already develop your policy so if you have a good policy your policy comes now in paragraph form that speak to that controls but when you are updating this on your SSP you are in more of the implementation narrative so you have each and every piece of this control you know you have those implementation statement right so it's just a replicate of your policy once you have a good policy it's just something that you just copy and paste copy and paste but make sure it satisfied each and every component or piece that is been listed here right for example at identify the following types of information system account to support organization mission that they say assignment organization Define information account type tell me what kind of account type you know Define the account type that is responsible for that you know but we're not really going to spend time because this again is rep four so since we're going to be working with rep five um um next or Subs videos will go um with d into the r five and see how we can start developing security policies and also how we can effectively develop um how they call or learn how to write implementation statements so us to come up with an implementation narrative okay so if you look at here if you look at this document again everything again just has to do with your controls your controls your controls so tell me if you've been assessing controls over and over and over again this document it's so easy right yet it is long very very lengthy document but it has to do with a lot of security controls okay so this is what SSP is all about one most important document that organization need to have for their information system and again as I said it has everything about that system that you need to know okay so for those if you want to download this doc you can just go to I went to the I went to Google I just put um DHS SSP template I was able to download it and even when you go to um you go to the federal Marketplace you can also see some SSP that you can you can just download it and then just make it a habit to go you know to go through the D and see the different session try understand even when you a working professional just also make it a habit to visit this document to see you know just to revise and then get you know used to maybe you are not really working with you know um with this SSP but this is something that you can also um help develop if you're working for a private organization right have something in house or for um record keeping or housekeeping their organ organization can adopt in the long run okay I hope the sessions um particular session help I'll see you all in the next video as then I think we're going to talk about poem we're going to go through security controls then we're going to learn how to start developing security policy and from there we're going to learn how to write implementation statement so it's a lot see you all in the next video bye