Академический Документы
Профессиональный Документы
Культура Документы
{DRAFT / FINAL}
Contract:
{Submission date}
Boston University
REVISION HISTORY
Revisio
n
Number
0
Summary of Revision
Revision
Author
Date
Accepted By
Initial Draft
SSP Submitted By
Printed name
Title
Signature
Date
Contracting Company
Contract Number
SSP Approval
System Manager
Printed name
Title
Signature
Date
SSP Approval
CSO
Printed name
Title
Signature
Date
Printed name
Title
Signature
Date
SSP Approval
TABLE OF CONTENTS
SECTION
1.
SYSTEM IDENTIFICATION........................................................................................................1
1.1.
1.2.
1.3.
1.4.
1.5.
1.6.
1.7.
1.8.
1.9.
1.10.
1.11.
1.12.
2.
SYSTEM NAME/TITLE....................................................................................................................................1
RESPONSIBLE COMPONENT...........................................................................................................................1
SYSTEM OWNER............................................................................................................................................1
INFORMATION CONTACTS..............................................................................................................................1
ASSIGNMENT OF SECURITY RESPONSIBILITY................................................................................................1
ASSIGNMENT OF CERTIFICATION & ACCREDITATION RESPONSIBILITY.........................................................2
AUTHORIZING OFFICIAL................................................................................................................................2
OPERATIONAL STATUS...................................................................................................................................3
GENERAL DESCRIPTION/PURPOSE.................................................................................................................3
SYSTEM ENVIRONMENT.................................................................................................................................3
SYSTEM DIAGRAMS.......................................................................................................................................4
SYSTEM INTERCONNECTION/INFORMATION SHARING...................................................................................5
SENSITIVITY OF INFORMATION.............................................................................................6
2.1.
2.2.
3.
PAGE
4.
SECURITY FINDINGS.................................................................................................................79
5.
DOCUMENTATION.....................................................................................................................80
1. System Identification
1.1.
System Name/Title
1.2.
Responsible Component
1.3.
System Owner
1.4.
Information Contacts
1.5.
1.7.
Authorizing Official
Operational Status
Select one:
Operational (System is operating)
Under Development (The System is being designed, developed, or implemented)
Undergoing a major modification (The System is undergoing a major conversion or transition)
Current operational version is Version X, released [ {date} [or proposed for release {date}]. Version X+1 is scheduled for
production release in {date}.
1.9.
General Description/Purpose
Present a brief description (one-three paragraphs) of the function and purpose of the System.
Include Description here:
List all applications supported by the system. Also, specify if each application is, or is not, a major application.
Include Description here:
Describe each application's function and the type of information and processing it performs.
Include Description here:
Describe the processing flow of the application from system input to system output.
Include Description here:
List user organizations (internal & external) and type of data and processing provided.
Include Description here:
{Include graphics that provide a visual explanation of the system operations. Diagrams should
include a logical and/or physical representation of the system, as well as the network layout, the
data-flow and the database schema.}
Yes
No
2. Sensitivity of Information
2.1.
Integrity
Need
Protect the data contained
within the [name of systems]
from disclosure at all times;
Allow only authorized
individuals access to data
on an as-needed basis.
Protect data contained
within the [name of systems]
from unauthorized changes;
Protectio
n Level
H
M
L
H
M
Availability
H
M
Additional Comments:
Overall System Categorization
Low
Moderate
High
Based on the protection requirements for confidentiality, integrity and availability, the overall system sensitivity is
LOW. The effect of the loss, misuse or unauthorized access to [name of system] data could have a limited adverse
effect on operations and assets.
Technical Controls
Access Control Policy and Procedures (AC-1): The organization develops, disseminates,
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
accounts, including:
A. Identifying account types (i.e., individual, group, system, application,
guest/anonymous, and temporary);
B. Establishing conditions for group membership;
C. Identifying authorized users of the information system and specifying access
privileges;
D. Requiring appropriate approvals for requests to establish accounts;
E. Establishing, activating, modifying, disabling, and removing accounts;
F. Specifically authorizing and monitoring the use of guest/anonymous and
temporary accounts;
G. Notifying account managers when temporary accounts are no longer required and
when information system users are terminated, transferred, or information system
usage or need-to-know/need-to-share changes;
H. Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts
of terminated or transferred users;
I. Granting access to the system based on: (i) a valid access authorization; (ii)
intended system usage; and (iii) other attributes as required by the organization or
associated missions/business functions; and
J. Reviewing accounts [Assignment: organization-defined frequency].
System-Specific Control
Individual / Organization Responsible
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
Technical Controls
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
In Place
Planned
Not In Place
Not Applicable
Hybrid Control
Common Control
a. Provides audit record generation capability for the list of auditable events defined
in AU-2 at [Assignment: organization-defined information system components];
b. Allows designated organizational personnel to select which auditable events are to
be audited by specific components of the system; and
c. Generates audit records for the list of audited events defined in AU-2 with the
content as defined in AU-3.
System-Specific Control
Individual / Organization Responsible
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
Management Controls
A. Develops a security assessment plan that describes the scope of the assessment
including:
-Security controls and control enhancements under assessment
-Assessment procedures to be used to determine security control effectiveness
-Assessment environment, assessment team, and assessment roles and responsibilities
B. Assesses the security controls in the information system [Assignment:
organization-defined frequency] to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the desired outcome
with respect to meeting the security requirements for the system
C. Produces a security assessment report that documents the results of the assessment
D. Provides the results of the security control assessment, in writing, to the
authorizing official or authorizing official designated representative.
System-Specific Control
Individual / Organization Responsible
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
10
A. Develops a plan of action and milestones for the information system to document
the organizations planned remedial actions to correct weaknesses or deficiencies
noted during the assessment of the security controls and to reduce or eliminate known
vulnerabilities in the system
B. Updates existing plan of action and milestones [Assignment: organization-defined
frequency] based on the findings from security controls assessments, security impact
analyses, and continuous monitoring activities.
System-Specific Control
Individual / Organization Responsible
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
11
Operational Controls
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
Operational Controls
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
12
Operational Controls
In Place
Planned
Not In Place
Not Applicable
Hybrid Control
Common Control
Planning (PL)
Management Controls
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
13
In Place
Planned
Not In Place
Not Applicable
Hybrid Control
Common Control
C&A Manager
Management Controls
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
14
Management Controls
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
Operational Controls
FLAW REMEDIATION (SI- 2): The organization identifies, reports, and corrects
information system flaws;
1 Tests software updates related to flaw remediation for effectiveness and
potential side effects on organizational information systems before
installation; and
2 Incorporates flaw remediation into the organizational configuration
management process.
System-Specific Control
Individual / Organization Responsible
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
OTSO,C&A Manager
15
retains output from the information system in accordance with applicable laws,
Executive Orders, directives, policies, regulations, standards, and operational
requirements.
System-Specific Control
Individual / Organization Responsible
Hybrid Control
In Place
Planned
Not In Place
Not Applicable
Common Control
C&A Manager
16
High
Medium
Low
High
Medium
Low
High
Medium
Low
High
Medium
Low
Control
Finding
Risk
Recommendation
Control
Finding
Risk
Recommendation
Control
Finding
Risk
Recommendation
17
4. Documentation
List the documentation maintained for the system (e.g., vendor documentation of hardware/software, functional
requirements, system security plans, system program manuals, test results documents, standard operating
procedures, emergency procedures, contingency plans, user rules/procedures, risk assessment,
certification/accreditation statements/documents, verification reviews and site inspections.
18