Security PlansThe security planning process eventually produces a Site Security Plan, known as the "Security Plan" or SSP. The security plan provides an overview of the security requirements of the system and the security controls designed to meet those requirements. It is a compilation of all the documentation produced by the key security processes.
The security planning process begins in the INITIATION phase of the SDLC, where system characterization describes the system and its mission and functions. The output from impact assessments offer the beginnings of the security plan and provide input for the risk assessment process.
Once the risk assessment has helped define the requirements and security controls have selected and tailored, the security controls and any modification made to them must be documented. As the controls are implemented, the configuration settings associated with them must also be documented and should be included in or referenced by the configuration managment plan.
Assemble the plan - some of the supporting pieces that should either be included in the main body of the security plan or attached as appendices or external documents include:
- Business Impact Assessment
- Privacy Assessment
- Risk Assessment
- Configuration Management Plan
- Contingency Plan
- Awareness and Training Plan
- Incident Response Plan
- Security Impact Assessment
- Rules of Behavior
- Authorization (C&A)
KEY NIST DOCS:
800-18 "Guide for Developing Security Plans for Federal Information Systems"
800-53 "Recommended Security Controls for Federal Information System"
800-100 "Information Security Handbook: A Guide for Managers"
FIPS 200 "Minimum Security Requirements for Federal Information and Information Systems"