Red Clay Renovations operates in multiple locations, with field offices in downtown Baltimore and suburban Philadelphia, an operations center in the Baltimore suburb, Owings Mills, and an office in Wilmington, Delaware. While all of these locations fall under Red Clay Renovations’ authority, each location differs in what specific operations are performed. For example, the operations center handles accounting and corporate operations, whereas the field offices are responsible for development and project management. The field offices are also slightly different in practice, due mainly to their location and self-governed infrastructures; however, maintaining roughly the same amount of management and support personnel. The following briefing paper will discuss why each location, specifically the relatively similar field offices require separate System Security Plans.
System Security Plan
A System Security Plan, often abbreviated SSP, is the main document which supports and outlines all security controls used within an information system. This document often contains security control implementation, an inventory of devices and services, as well as detailed data flow information and boundaries (FedRAMP, 2018). Creating a universal System Security Plan for each location may not be conducive to business operations, and also may severely impact the overall security of systems and data at each location.
Why is a Separate SSP Required for each of the Field Offices?
Each of the field offices reside in separate states, while not uncommon for U.S. companies to operate in multiple states, each location falls within separate legal and regulatory environments in which the company must be mindful of considering each state’s requirements, e.g. licensing and permits, in regard to how sensitive data is collected, maintained, and stored (Thomson Reuters, 2019). Each location also operates and maintains its own information technology (IT) infrastructure, with varying systems and devices which require special consideration when creating a System Security Plan. Additionally, given that Red Clay Renovations utilizes guidance from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, NIST Special Publication 800-171 specifically requires organizations to conduct periodic, system-specific, security assessments, which in turn protects Health Insurance Portability and Accountability Act of 1996 (HIPPA) data which is collected, stored, and maintained by the company (Ross, Viscuso, Guissaine, Dempsey, & Riddle, 2016, p. 14).
Overview and Conclusion
Red Clay Renovations conducts business operations from multiple locations throughout the east coast; however, given the various differences in operations of each of the locations, the company should implement site-specific System Security Plans. In regard to the field offices, each location is significantly different in legal and regulatory requirements, each location maintains their own IT infrastructure, and in order to maintain compliance with the NIST Cybersecurity Framework, Red Clay Renovations must maintain periodic and explicit security assessment of each proprietary system.
FedRAMP. (2018). Developing a system security plan (SSP). Retrieved from https://www.fedramp.gov/developing-a-system-securi…
Ross, R., Viscuso, P., Guissaine, G., Dempsey, K., & Riddle, M. (2016). Protecting controlled unclassified information in nonfederal systems and organizations (Special Publication 800-171). Retrieved from NIST website: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistsp…
Thomson Reuters. (2019). Data licensing: Taking into account data ownership. Retrieved from https://legal.thomsonreuters.com/en/insights/artic…