To protect the IT system (i.e., hardware, software, facilities, network, etc.) and the sensitive information stored in the IT system of organization, appropriate safeguards and security plans are necessary. A good IT security plan can identify, detect, solve, and prevent cybersecurity incidents such as malware, virus, phishing, system failure, and employee mistake. System Security Plan (SSP) is a useful source to overview IT systems and security controls implemented on them (SysArc, 2019). SSP document contains system owner, name of the system, security requirements, architecture, and list of control systems in the category of management, operational, and technical and how each control should be implemented and what level is responsible for it (Gantz, 2013). SSP should contain the controls that are determined by Federal Information Processing Standards (FIPS) 199 and template from the NIST SP 800-53 (UAB, n.d.).
The Red Clay Renovation has few different field offices and they each need to have their own separate SSP. Because each office has different IT infrastructure and responsible personnel from one to the other. For example, one office that does and does not have “home smart” and internet of things (IoTs) will have different policy and security guidelines. More importantly, each office is in different states and locations which means that the state legal requirement and policy are different, and area-specific threats should be considered in the SSP. Of course, it is much easier to create one SSP that fits all office since most of the field offices have similar IT architecture but not 100% exact. With that being said, having a sperate SSP that actually meets each office’s unique IT structure and system can be much more effective protecting IT system from security incidents.
In summary, SSP is a document that identifies and detailed information about the information system and security controls implemented in them. One SSP document is not suitable for all the Red Clay Renovation field offices because of the difference in state laws, risks, IT infrastructure, and personnel which requires different control systems. If SSP is used right, the company can protect the confidentiality, integrity, and availability of sensitive data much more efficiently.
Gantz. (2013). System Security Plan. Retrieved April 23, 2019, from https://www.sciencedirect.com/topics/computer-science/system-security-plan
SysArc. (2019, April 01). How to Create a System Security Plan (SSP) for NIST 800-171. Retrieved April 23, 2019, from https://www.sysarc.com/cyber-security/how-to-creat…
UAB. (n.d.). Retrieved April 23, 2019, from https://www.uab.edu/research/administration/office…