What is a general support system as defined in NIST SP 800-18?

  

Your Task Assignment
As a staff member supporting the CISO, you have been asked to research and then draft the required system security plan for a General Support System. In your research so far, you have learned that:
A general support system is defined as an interconnected set of information resources under the same direct management control that shares common functionality. (See NIST SP 800-18)
The Field Office manager is the designated system owner for the IT support systems in his or her field office.
The system boundaries for the field office General Support System have already been documented in the companys enterprise architecture (see the case study).
The security controls required for the field office IT systems have been documented in a security controls baseline (see the controls baseline attached to this assignment).
All of the attachments attached will help do the question.
Information System Security Plan
1. Information System Name/Title:
Unique identifier and name given to the system. [use information from the case study]
2. Information System Categorization:
Identify the appropriate system categorization [use the information from the case study].
3. Information System Owner:
Name, title, agency, address, email address, and phone number of person who owns the system.
[Use the field office manager]
4. Authorizing Official:
Name, title, agency, address, email address, and phone number of the senior management
official designated as the authorizing official. [Use the companys Chief Information
Officer.]
5. Other Designated Contacts:
List other key personnel, if applicable; include their title, address, email address, and phone
number. [include the CISO, the ISSO, and other individuals from the case study, if
appropriate]
6. Assignment of Security Responsibility:
Name, title, address, email address, and phone number of person who is responsible for the
security of the system. [use the case study information]
7. Information System Operational Status:
Indicate the operational status of the system. If more than one status is selected, list which part
of the system is covered under each status. [Use the case study information.]
8.0 Information System Type:
Indicate if the system is a major application or a general support system. If the system contains
minor applications, list them in Section 9. General System Description/Purpose. [use the case
study information]
9.0 General System Description/Purpose
Describe the function or purpose of the system and the information processes. [use the case
study information]
10. System Environment
Provide a general description of the technical system. Include the primary hardware, software,
and communications equipment.
[use the case study information and diagrams. Add brand names, equipment types as required (if
not provided in the case study)]
11. System Interconnections/Information Sharing
1
Information System Security Plan
List interconnected systems and system identifiers (if appropriate), provide the system name,
owning or providing organization, system type (major application or general support system)
add a fictional date of agreement to interconnect, and the name of the authorizing official.
12. Related Laws/Regulations/Policies
List any laws or regulations that establish specific requirements for the confidentiality,
integrity, or availability of the data in the system.
13. Minimum Security Controls
Use the security controls baseline as provided for this assignment. Include descriptive paragraphs for
each section. Cut and paste the tables from the provided security controls baseline to add the
individual security controls under each section. Use the sections and sub-sections as listed below.
13.1 Management Controls
[provide a descriptive paragraph]
13.1.1 [first control family]
[provide a descriptive paragraph]
13.1.2 [second control family]
13.2 Operational Controls
[provide a descriptive paragraph]
13.2.1 [first control family]
13.2.2 [second control family]
..
13.3 Technical Controls
[provide a descriptive paragraph]
13.3.1 [ first control family]
13.3.2 [ second control family]
Example:
2
Information System Security Plan
14. Information System Security Plan Completion Date: _____________________
Enter the completion date of the plan.
15. Information System Security Plan Approval Date: _______________________
Enter the date the system security plan was approved and indicate if the approval
documentation is attached or on file.
3
Project #3: System Security Plan
Company Background & Operating Environment
The assigned case study and attachments to this assignment provide information about the
company.
Use the Baltimore field office as the target for the System Security Plan
Use Verizon FiOS as the Internet Services Provider (see
http://www.verizonenterprise.com/terms/us/products/internet/sla/ )
Policy Issue & Plan of Action
A recent risk assessment highlighted the need to formalize the security measures required to
protect information, information systems, and the information infrastructures for the companys field
offices. This requirement has been incorporated into the companys risk management plan and the
companys CISO has been tasked with developing, documenting, and implementing the required security
measures. The IT Governance board also has a role to play since it must review and approve all changes
which affect IT systems under its purview.
The CISO has proposed a plan of action which includes developing system security plans using
guidance from NIST SP-800-18 Guide for Developing Security Plans for Federal Information Systems. The
IT Governance board, after reviewing the CISOs proposed plan of action, voted and accepted this
recommendation. In its discussions prior to the vote, the CISO explained why the best practices
information for security plans from NIST SP 800-18 was suitable for the companys use. The board also
accepted the CISOs recommendation for creating a single System Security Plan for a General Support
System since, in the CISOs professional judgement, this type of plan would best meet the
formalization requirement from the companys recently adopted risk management strategy.
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research and then draft the
required system security plan for a General Support System. In your research so far, you have learned
that:
A general support system is defined as an interconnected set of information resources
under the same direct management control that shares common functionality. (See
NIST SP 800-18)
The Field Office manager is the designated system owner for the IT support systems in
his or her field office.
The system boundaries for the field office General Support System have already been
documented in the companys enterprise architecture (see the case study).
The security controls required for the field office IT systems have been documented in a
security controls baseline (see the controls baseline attached to this assignment).
Research:
1. Review the information provided in the case study and in this assignment, especially the
information about the field offices and the IT systems and networks used in their day to day
business affairs.
2. Review NISTs guidance for developing a System Security Plan for a general support IT System.
This information is presented in NIST SP 800-18. http://csrc.nist.gov/publications/nistpubs/80018-Rev1/sp800-18-Rev1-final.pdf Pay special attention to the Sample Information System
Security Plan template provided in Appendix A.
3. Review the definitions for IT Security control families as documented in Federal Information
Processing Standard (FIPS) 200: Minimum Security Requirements for Federal Information and
Information Systems (see section 3).
4. Review the definitions for individual controls as listed in Appendix F Security Control Catalog in
NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf You should focus on
those controls listed in the security controls baseline provided with this assignment.
Write:
1. Use the following guidance to complete the System Security Plan using the template from
Appendix A of NIST SP 800-18.
a. Sections 1 through 10 will contain information provided in the assigned case study. You
may need to interpret that information when writing the descriptions. Fill in the
blanks for information about the company or its managers which is not provided in the
case study, i.e. names, email addresses, phone numbers, etc.). Make sure that your
fictional information is consistent with information provided in the case study (name of
company, locations, etc.).
b. Section 11 should contain information about the field offices Internet connection Do
not include the table. Use the business Internet Services Provider listed at the top of this
assignment file. Describe the system interconnection type in this section and service
level agreement.
c. Section 12 should contain information derived from the case study. You will need to
identify the types of information processed in the field office and then list the laws and
regulations which apply. For example, if the case study company processes or stores
Protected Health Information, then this section must include information about HIPAA.
If the company processes or stores credit card payment information, then this section
must include information about the PCI-DSS requirements.
d. Section 13 of the SSP will take the most editing time. Use the information about
required security controls as provided security controls baseline.
i. Create 3 sub sections (13.1 Management Controls, 13.2 Operational Controls,
and 13.3 Technical Controls). You must provide a description for each category
(see the definitions provided in Annex 11.B Minimum Security Controls in NIST
SP 800-100 Information Security Handbook: A Guide for Managers).
ii. Using the information provided in the security controls baseline, place the
required control families and controls under the correct sub section.
iii. Use the exact names and designators for the security control families and
individual security controls. BUT, you MUST paraphrase any and all descriptions.
Do NOT cut and paste from NIST documents.
e. Section 14: use the due date for this assignment as the plan complete date.
f. Section 15: leave the approval date blank. You will not have any other text in this
section (since the plan is not yet approved).
2. Use a professional format for your System Security Plan. Your document should be consistently
formatted throughout and easy to read.
3. Common phrases do not require citations. If there is doubt as to whether or not information
requires attribution, provide a footnote with publication information or use APA format
citations and references.
4. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
verifying that your punctuation is correct and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.
UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
Red Clay Renovations
A case study for CSIA 413
Valorie J. King, PhD
3/30/2016
Copyright 2016 by University of Maryland University College. All Rights Reserved.
CSIA 413: Cybersecurity Policy, Plans, and Programs
Table of Contents
Company Overview ……………………………………………………………………………………………………………………… 1
Corporate Governance & Management ……………………………………………………………………………………… 1
Operations ……………………………………………………………………………………………………………………………… 4
Acquisitions …………………………………………………………………………………………………………………………….. 4
Legal and Regulatory Environment …………………………………………………………………………………………….. 5
Policy System ………………………………………………………………………………………………………………………….. 6
Risk Management & Reporting ………………………………………………………………………………………………….. 6
IT Security Management …………………………………………………………………………………………………………… 7
Information Technology Infrastructure ………………………………………………………………………………………….. 8
Enterprise Architecture…………………………………………………………………………………………………………….. 8
Operations Center IT Architecture……………………………………………………………………………………………… 9
Field Office IT Architecture ……………………………………………………………………………………………………… 10
System Interconnections ………………………………………………………………………………………………………… 11
Tables
Table 1. Key Personnel Roster ………………………………………………………………………………………………………. 3
Table 2. Red Clay Renovations Office Locations & Contact Information ……………………………………………… 4
Figures
Figure 1. Red Clay Renovations Organization Chart …………………………………………………………………………. 2
Figure 2. Overview for Enterprise IT Infrastructure ………………………………………………………………………….. 9
Figure 3. IT Architecture for Operations Center ………………………………………………………………………………. 9
i
Company Overview
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the
renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating
homes using smart home and Internet of Things technologies while maintaining period correct
architectural characteristics. The companys primary line of business is Home Remodeling Services
(NAICS 236118).
Corporate Governance & Management
Red Clay Renovations was incorporated in the State of Delaware in 1991 and is privately held. (Its stock
is not publicly traded on a stock exchange.)The company maintains a legal presence (Corporate
Headquarters) in Delaware to satisfy laws relating to its status as a Delaware corporation. The company
has a five member Board of Directors (BoD). The Chief Executive Officer (CEO) and Chief Financial Officer
(CFO) each own 25% of the corporations stock; both serve on the BoD. The CEO is the chair person for
the BoD. The three additional members of the BoD are elected from the remaining stock holders and
each serve for a three year term. The BoD provides oversight for the companys operations as required
by state and federal laws. Its primary purpose is to protect the interests of stockholders. Under state
and federal law, the BoD has a fiduciary duty to ensure that the corporation is managed for the benefit
of the stockholders (see http://www.nolo.com/legal-encyclopedia/fiduciary-responsibilitycorporations.html). The BoD has adopted a centrally managed Governance, Risk, and Compliance
(GRC) methodology to ensure that the corporation meets the expectations of stakeholders while
complying with legal and regulatory requirements.
The companys senior management includes the Chief Executive Officer (CEO), Chief Financial Officer
(CFO), Chief Operating Officer (COO), Director of Architecture & Construction Services (A&C), Director of
Customer Relations (CR), Director of Human Resources (HR), the Director of Information Technology
Services (ITS), and the Director of Marketing and Media (M&M). The Director of ITS is dual-hatted as the
companys Chief Information Security Officer (CISO). These individuals constitute the Executive Board for
the company and are responsible for implementing the business strategies, policies, and plans approved
by the BoD. A separately constituted IT Governance Board is chaired by the Chief Operating Officer. The
five directors (A&C, CR, HR, ITS, and M&M) serve as members of the IT Governance board. This board
considers all matters related to the acquisition, management, and operation of the companys
information technology resources.
The CEO, CFO, and COO have been with the company since it started in 1991. The Directors for A&C, CR,
and HR have over 20 years each with the company. The Director for M&M has ten years of service. The
Director of ITS / CISO has been with the company less than two years and is still trying to bring a
semblance of order to the IT management program especially in the area of IT security services. This is
a difficult task due to the companys failure to promptly hire a replacement for the previous director
who retired two years ago.
1
CSIA 413: Cybersecurity Policy, Plans, and Programs
Figure 1. Red Clay Renovations Organization Chart
2
CSIA 413: Cybersecurity Policy, Plans, and Programs
Table 1. Key Personnel Roster
Name & Title
James Randell
CEO
Irma Bromley
Office
Location
Wilmington
Office Phone
No.
910-555-2158
email
Wilmington
910-555-2150
Irma_Bromley@ redclayrennovations.com
Wilmington
910-555-2152
nr@redclayrenovations.com
Wilmington
910-555-2159
marcus@redclayrenovations.com
Owings Mills
667-555-5000
julia@redclayrenovations.com
Wilmington
910-555-1000
ed@redclayrenovations.com
Owings Mills
667-555-6260
Erwin_Carrington@hq.redclayrenovations.com
Owings Mills
667-555-6370
Eric_Carpenter@hq.redclayrenovations.com
Owings Mills
667-555-6400
an@redclayrenovations.com
Ownings Mills
667-555-6900
rn@redclayrenovations.com
Owings Mills
667-555-8000
en@redclayrenovations.com
Baltimore
443-555-2900
Charles@balt.redclayrenovations.com
Baltimore
443-555-2900
Erica@balt.redclayrenovations.com
Philadelphia
267-555-1200
William@philly.redclayrenovations.com
Philadelphia
267-555-1200
Alison@philly.redclayrenovations.com
jr@redclayrenovations.com
Executive Assistant to
Mr. Randell
Nancy Randell
Chief of Staff
Marcus Randell
CFO
Julia Randell
COO
Edward Randell, Esq
Corporate Counsel
Erwin Carrington
CIO & Director IT
Services
Eric Carpenter
CISO / Deputy CIO
Amanda Nosinger
Director, Customer
Relations
Rebecca Nosinger
Director, Marketing &
Media
Eugene Nosinger
Director, Architecture
& Services
Charles Kniesel
Manager & Architect
in Charge, Baltimore
Field Office
Erica Kniesel
Office Manager &
ISSO, Baltimore Field
Office
William Kniesel
Manager & Architect
in Charge,
Philadelphia Field
Office
Alison Kniesel-Smith
Office Manager &
ISSO, Philadelphia
Field Office
3
CSIA 413: Cybersecurity Policy, Plans, and Programs
Operations
Red Clay Renovations has offices in Baltimore, MD, Philadelphia PA, and Wilmington, DE. The contact
information for each location is provided in Table 2.
Table 2. Red Clay Renovations Office Locations & Contact Information
Location
Baltimore Field Office
Philadelphia Field Office
Operations Center (Owings Mills)
Wilmington Office
Mailing Address
200 Commerce Street, Suite 450
Baltimore, MD 21201
1515 Chester Street
Philadelphia, PA 19102
12209 Red Clay Place
Owings Mills, MD 21117
12 High Street
Wilmington, DE 19801
Phone Number
443-555-2900
267-555-1200
667-555-6000
910-555-2150
The Operations Center is the companys main campus and is located in suburban Baltimore, MD (Owings
Mills). The Owings Mills facility houses the companys data center as well as general offices for the
companys operations. These operations include: accounting & finance, customer relations, human
resources, information technology services, marketing, and corporate management. There are
approximately 100 employees at the Operations Center. Day to day management of the Owings Mills
facility is provided by the companys Chief Operating Officer (COO).
The companys Chief Executive Officer, corporate counsel, and support staff maintain a presence in the
companys Wilmington, DE offices but spend most of their time at the Owings Mills operations center.
Field Offices are located in downtown Baltimore and suburban Philadelphia. Each office has a managing
director, a team of 2-3 architects, a senior project manager, a business manager, and an office manager.
Support personnel (receptionist, clerks, etc.) are contractors provided by a local staffing services firm.
Each office operates and maintains its own IT infrastructure.
The companys architects, project managers, and other support personnel frequently work from
renovation sites using cellular or WiFi connections to access the Internet. Many field office employees
are also authorized to work from home or an alternate work location (telework site) one or more days
per week.
Acquisitions
Red Clay acquired Reality Media Services, a five person digital media & video production firm in 2015
(NAICS Codes 512110, 519130, and 541430). RMS creates a video history for each residential
4
CSIA 413: Cybersecurity Policy, Plans, and Programs
construction project undertaken by Red Clay Renovations. RMS also provides Web design and social
media services for Red Clay Renovations to promote its services. RMS employees work primarily out of
their own home offices using company provided equipment (computers, video / audio production
equipment). Each employee also uses personally owned cell phones, laptops, digital cameras, and
camcorders. While RMS is now wholly owned by Red Clay, it continues to operate as an independent
entity. Red Clay senior management is working to change this, however, starting with bringing all IT and
IT related resources under the companys central management. As part of this change, Red Clay has set
up a media production facility (Media Studio) in its headquarters location which includes office space
for RMS personnel. The production facility and RMS operations are under the management control of
the Director, Marketing & Media Services.
Legal and Regulatory Environment
The firm is licensed to do business as a general contractor for residential buildings in three states (DE,
MD, PA). The companys architects maintain professional licensure in their state of residence. The
companys general counsel is licensed to practice law in Delaware and Maryland. The Chief Financial
Officer is a Certified Public Accountant (CPA) and licensed to practice in all three states.
The company collects, maintains, and stores personal information from and about customers over the
normal course of doing business. This includes credit checks, building plans and drawings for homes, and
information about a customers family members which needs to be taken into consideration during the
design and construction phases of a project (e.g. medical issues / disabilities, hobbies, etc.).
When renovations are required due to a medical condition or disability, the company works with health
insurance companies, Medicare/Medicaid, and medical doctors to plan appropriate modifications to the
home and to obtain reimbursement from insurers. This sometimes requires that the company receive,
process, store, and transmit Protected Health Information (PHI) generated by medical practitioners or as
provided by the customer. The companys legal counsel has advised it to be prepared to show
compliance with the HIPAA Security Rule for PHI for information stored on computer systems in its field
offices and in the operations center.
Red Clay began offering Smart Home renovation services in 2005 (NAICS Codes 541310 and 236118).
These services are primarily offered out of the Baltimore and Philadelphia field offices. A large
percentage of the companys smart home remodeling work is financed by customers through the
Federal Housing Administrations 203K Rehab Mortgage Insurance program. Red Clay provides
assistance in filling out the required paperwork with local FHA approved lenders but does not actually
process mortgages itself. Red Clay does, however, conduct credit checks on prospective customers and
accepts credit card payments for services.
As a privately held stock corporation, Red Clay Renovations is exempt from many provisions of the
Sarbanes-Oxley Act of 2002. But, in certain circumstances, i.e. a government investigation or bankruptcy
5
CSIA 413: Cybersecurity Policy, Plans, and Programs
filing, there are substantial criminal penalties for failure to protect business records from destruction or
spoliation.
Policy System
The companys Chief of Staff is responsible for the overall organization and management of the
companys collection of formal policies and procedures (policy system). The companys policies
provide guidance to employees and officers of the company (CEO, CFO, and the members of the Board
of Directors) with respect to their responsibilities to the company. Policies may be both prescriptive
(what must be done) and proscriptive (what must not be done). Responsibility for writing and
maintaining individual policies is assigned to a designated manager or executive within the company.
Each policy identifies the responsible individual by title, e.g. Director of Human Resources.
The major policy groupings are:

Human Resources
Financial Management
Information Technology
Employee Handbook
Manager Deskbook
Selected policies are published as an Employee Handbook and a Managers Deskbook to communicate
them to individual employees and managers and to ensure that these individuals are aware of the
content of key policies which affect how they perform their duties.
Risk Management & Reporting
The company engages in a formal risk management process which includes identification of risks,
assessment of the potential impact of each risk, determination of appropriate risk treatments
(mitigation, acceptance, transfer), and implementation of the risk management strategy which is based
upon the selected risk treatments. For information technology related risks, the CISO working in
conjunction with the IT Governance Board is responsible for identifying and assessing risks.
Corporate-wide, high level risks which could impact the companys financial performance are disclosed
to shareholders during the annual meeting and in the Annual Report to Investors. For the current year,
the following high level cybersecurity related risks will be disclosed.
1. Cyber-attacks could affect our business.
2. Disruptions in our computer systems could adversely affect our business.
3. We could be liable if third party equipment, recommended and installed by us (e.g. smart home
controllers), fails to provide adequate security for our residential clients.
6
CSIA 413: Cybersecurity Policy, Plans, and Programs
The companys risk treatments for cybersecurity related risks include purchasing cyber liability
insurance, implementing an asset management and protection program, implementing configuration
baselines, implementing configuration management for IT systems and software and auditing
compliance with IT security related policies, plans, and procedures.
The corporate board was recently briefed by the Chief Information Officer concerning the companys IT
Security Program and how this program contributes to the companys risk management strategy. During
the briefing, the CIO presented assessment reports and audit findings from IT security audits. These
audits focused upon the technical infrastructure and the effectiveness and efficiency of the companys
implementation of security controls. During the discussion period, members of the corporate board
asked about audits of policy compliance and assessments as to the degree that employees were (a)
aware of IT security policies and (b) complying with these policies. The CIO was tasked with providing
audit reports for these items before the next quarterly meeting of the corporate board.
The corporate board also asked the CIO about future plans for improvements to the IT Security program.
The CIO reported that, in the coming year, the CISO will begin implementation of an IT vulnerability
management program. The CIO also reported that the CISO is working with the IT Governance Board to
restart the companys security education, training, and awareness (SETA) program. SETA activities had
fallen into disuse due to a perceived lack of quality and lack of timeliness (out of date materials). The
CISO has also determined that the System Security Plans for the field offices are out of date and lacking
in important security controls. These plans have been scheduled for update in the near future to ensure
that the companys risk management strategy for cybersecurity risks is fully implemented.
IT Security Management
The companys Chief Information Security Officer (CISO) is responsible for providing management
oversight and technology leadership for the companys Information Technology security program. This
program is designed around the ISO 27001/27002 requirements but is not fully compliant. For cost
reasons, the Chief Information Officer (CIO) has decided not to pursue implementation of CobiT or ITIL
standards for managing IT systems and services. A less costly alternative, using NIST guidance
documents, was approved at the CISOs suggestion. The CISOs selected guidance documents include:

Don't use plagiarized sources. Get Your Custom Essay on
What is a general support system as defined in NIST SP 800-18?
Just from $13/Page
Order Essay

NIST SP 800-12 An Introduction to Computer Security: The NIST Handbook:
NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems
NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and
Organizations
NIST SP 800-100 Information Security Handbook: A Guide for Managers
NISTIR 7621 Small Business Information Security: The Fundamentals
The CISO has determined that the closest fit for the level of security required by law for the companys
IT systems is the moderate level as defined in the FIPS 199/200 standards and specified in NIST SP
7
CSIA 413: Cybersecurity Policy, Plans, and Programs
800-53 Revision 4. The company has created its own minimum security controls baseline which is used
for developing system security plans.
Under the companys existing IT Security Management Plan, the following individuals are responsible for
the security of its IT systems.
1. Chief Information Officer: designated approving official for all IT systems certification and
authorization.
2. Chief Information Security Officer: responsible for developing security plans and procedures.
3. Chief Financial Officer: responsible for negotiating and providing oversight for contracts and
service level agreements for IT services.
4. Chief Operating Officer: responsible for approval of and compliance with security plans and
procedures for the companys IT Operations Center. The COO is the system owner for all IT
systems in the operations center.
5. Field Office Manager: responsible for approval of and compliance with security plans and
procedures for his or her field office. The field office manager is the system owner for all IT
systems in his or her field office.
6. Field Office Information Systems Security Officer (ISSO): responsible for day to day
implementation of security plans, processes, and procedures.
Information Technology Infrastructure
Enterprise Architecture
The overview for the enterprise IT architecture for Red Clay Renovations is shown in Figure 2. This
diagram shows the interconnections between the companys field offices and the operations center.
Each facility-to-facility interconnection is made via a Virtual Private Network (VPN). The VPN connects
the Local Area Networks (LANs) in the operations center and the field offices to the companys
enterprise network. All IT systems are in the operational phase of the Systems Development Lifecycle.
The company does not have plans at this time to upgrade (major modification) or implement (under
development) any IT systems.
8
CSIA 413: Cybersecurity Policy, Plans, and Programs
Figure 2. Overview for Enterprise IT Infrastructure
Operations Center IT Architecture
The Owings Mills facility (see Figure 3) contains the companys operations (data) center as well as
general offices for the companys operations. These operations include: accounting & finance, customer
relations, human resources, information technology services, marketing, and corporate management.
Figure 3. IT Architecture for Operations Center
9
CSIA 413: Cybersecurity Policy, Plans, and Programs
Field Office IT Architecture
The companys corporate headquarters are located in Wilmington, DE. These offices have the same IT
architecture as is used by the field offices in Baltimore and Philadelphia (see Figure 4). The companys
Chief Executive Officer and support staff maintain a presence in Delaware but spend most of their time
at the Owings Mills operations center. The companys architects, project managers, and other support
personnel frequently work from renovation sites using cellular or WiFi connections to access the
Internet. Many field office employees, including Reality Media Services staff, are also authorized to
work from home or an alternate work location (telework site) one or more days per week.
Red Clays offices have been remodeled to use the smart home and Internet of Things technologies
which it installs in the residential buildings that it rehabilitates. These devices have IP addresses and are
connected to the in-office wireless network (WiFi). Each smart device has a controller which can be
accessed via a Web-based interface that runs on the offices application server (username and password
required). The brand and type of equipment varies. The majority of these devices have little to no
security beyond a password protected Web-based logon. Every Red Clay location also has one or more
conference rooms which provide smart podiums, projection and video conferencing technologies, and
wireless network access to both the internal network and the Internet.
All locations use Dell computers for laptops, desktop computers, and servers. The laptops and desktops
were recently upgraded to Windows 10 Enterprise for their operating systems. The servers are running
Windows server 2012. All Windows systems have Symantec Endpoint Protection installed for host-based
security (anti-malware, host-based firewall, host-based intrusion detection).
Figure 4. Smart Office IT Architecture (Baltimore, Philadelphia, Wilmington)
10
CSIA 413: Cybersecurity Policy, Plans, and Programs
Each field office uses the same logical architecture. This infrastructure consists of a local area network
with both wired and wireless segments. A wiring closet containing the premises router and switches is
located in the office space (labeled Utilities in the diagram). The smart office and IoT devices are
also located within the office suites and are connected via WiFi to the Wireless Access Points and from
there to the office LAN. These devices are individually addressable via their IP addresses. Some have
onboard programmable controllers with Web based interfaces. Others have limited onboard
functionality and must be controlled via a central console (which has an IP address and Web based
interface). The RFID system used to control access to doors has sensor plates affixed to the walls. These
sensors are hard wired to a controller in the utilities closet. This controller connects to the local area
network and can be accessed via a Web based interface using its IP address. Access control for the Web
based interfaces (used for RFID system and smart device control) is limited to password protected
logons.
System Interconnections
The Operations Center and the individual Field Offices connect to the Internet via a business grade
Internet Services Provider with a standard Service Level Agreement (as established by the ISP). Systems
interconnections between internal systems and between facilities are certified and approved by the
Chief Information Officer. These interconnections include Virtual Private Network connections between
the Operations Center and the Field Offices over ISP provided networks). The VPN is used to protect the
confidentiality and integrity of information transmitted between IT systems located in the companys
field offices, its headquarters, and the operations center. (See Information Technology Infrastructure
later in this document for additional information about system interconnections.)
The operations center and field offices each have their own network infrastructure built on CISCO
branded equipment (Virtual Private Network (VPN), wired and wireless local area networks, wireless
access points, switches, a premise firewall, and intrusion detection system). Offices and server rooms
have RJ-45 wall jacks for 100BaseT wired connections to the local area network. Network equipment
serving individual LAN segments is located in locked equipment closets (wiring closets) within the
office areas.
The companys Wide Area Networking (WAN) and Internet services are provided by Verizon Business
services. These services include static IP addresses for the companys network connections and domain
name service for the companys primary domain name (RedClayRenovations.com) and multiple third
level domain names (e.g. balt.redclayrenovations.com, philly.redclayrenovations.com, etc.). The
company owns, operates, and manages its own Active Directory server, multiple Web servers, Email
servers, file and print servers, and multiple application /database servers. These servers are accessed via
local area network (LAN) and virtual private network (VPN) connections. The Email and public Web
servers are located in a protected network segment (Demilitarized Zone AKA DMZ) and are accessible
from both internal and external networks.
11
CSIA 413: Cybersecurity Policy, Plans, and Programs
Verizon provides fiber optic cables to the building demarc. Internally, the company owns the cable
infrastructure and has predominantly Cat 5 cabling inside the buildings. Company owned cabling also
runs from the Verizon owned demarc to a company owned/maintained central wiring closet. This closet
also contains routers and switches serving the internal LANs.
Telephone service is provided to each office building via fiber optic cables (as part of the FiOS business
services). Internal to the buildings, telephone service routes through an Alcatel Private Brach Exchange
(PBX) system over ANSI/TIA/EIA-568-B compliant wiring (predominantly Cat 3 cabling). The PBX system
does not connect to the companys internal networks.
The company allows employees to bring and use their own personal digital devices (laptops, cell phones,
cameras, etc.) provided that these devices are required to perform their duties. Contract employees are
not allowed to bring your own device (BYOD) and will be terminated if they are found to be using cell
phones or personal computers on the companys premises. Employees carry an RFID enabled proximity
access card which they use to access offices and other restricted areas. BYOD devices are NOT allowed
to connect directly to the companys VPN. These devices are restricted to WiFi access to the Internet
using the companys wireless access points.
12
Project #3: IT Security Controls Baseline for Red Clay Renovations
Red Clay Renovations IT Security policies, plans, and procedures shall use the following security control
classes (management, operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6).
Security Controls Baseline
Red Clay Renovations Security Controls Baseline shall include the following controls.
1. AC: Access Controls (Technical Controls Category)
AC-1
AC-2
AC-3
AC-4
AC-5
AC-6
AC-7
AC-8
AC-11
AC-12
AC-14
AC-17
AC-18
AC-19
AC-20
AC-21
AC-22
Access Control Policy and Procedures
Account Management
Access Enforcement
Information Flow Enforcement
Separation of Duties
Least Privilege
Unsuccessful Logon Attempts
System Use Notification
Session Lock
Session Termination
Permitted Actions without Identification or Authentication
Remote Access
Wireless Access
Access Control for Mobile Devices
Use of External Information Systems
Information Sharing
Publicly Accessible Content
AC-1
AC-2 (1) (2) (3) (4)
AC-3
AC-4
AC-5
AC-6 (1) (2) (5) (9) (10)
AC-7
AC-8
AC-11 (1)
AC-12
AC-14
AC-17 (1) (2) (3) (4)
AC-18 (1)
AC-19 (5)
AC-20 (1) (2)
AC-21
AC-22
2. AT: Awareness and Training (Operational Controls Category)
AT-1
AT-2
AT-3
AT-4
Security Awareness and Training Policy and Procedures
Security Awareness Training
Role-Based Security Training
Security Training Records
AT-1
AT-2 (2)
AT-3
AT-4
3. AU: Audit and Accountability (Technical Controls Category)
AU-1
AU-2
AU-3
AU-4
AU-5
AU-6
AU-7
AU-8
AU-9
AU-10
AU-11
AU-12
Audit and Accountability Policy and Procedures
Audit Events
Content of Audit Records
Audit Storage Capacity
Response to Audit Processing Failures
Audit Review, Analysis, and Reporting
Audit Reduction and Report Generation
Time Stamps
Protection of Audit Information
Non-repudiation
Audit Record Retention
Audit Generation
AU-1
AU-2 (3)
AU-3 (1)
AU-4
AU-5
AU-6 (1) (3)
AU-7 (1)
AU-8 (1)
AU-9 (4)
Not Selected
AU-11
AU-12
4. CA: Security Assessment and Authorization (Management Controls Category)
CA-1
CA-2
CA-3
CA-5
CA-6
CA-7
CA-9
Security Assessment and Authorization Policies and
Procedures
Security Assessments
System Interconnections
Plan of Action and Milestones
Security Authorization
Continuous Monitoring
Internal System Connections
CA-1
CA-2 (1)
CA-3 (5)
CA-5
CA-6
CA-7 (1)
CA-9
5. CM: Configuration Management (Operational Controls Category)
CM-1
CM-2
CM-3
CM-4
CM-5
CM-6
CM-7
CM-8
CM-9
CM-10
CM-11
Configuration Management Policy and Procedures
Baseline Configuration
Configuration Change Control
Security Impact Analysis
Access Restrictions for Change
Configuration Settings
Least Functionality
Information System Component Inventory
Configuration Management Plan
Software Usage Restrictions
User-Installed Software
CM-1
CM-2 (1) (3) (7)
CM-3 (2)
CM-4
CM-5
CM-6
CM-7 (1) (2) (4)
CM-8 (1) (3) (5)
CM-9
CM-10
CM-11
6. Contingency Planning (Operational Controls Category)
CP-1
CP-2
CP-3
CP-4
CP-5
CP-6
CP-7
CP-8
CP-9
CP-10
Contingency Planning Policy and Procedures
Contingency Plan
Contingency Training
Contingency Plan Testing
Withdrawn
Alternate Storage Site
Alternate Processing Site
Telecommunications Services
Information System Backup
Information System Recovery and Reconstitution
CP-1
CP-2 (1) (3) (8)
CP-3
CP-4 (1)
–CP-6 (1) (3)
CP-7 (1) (2) (3)
CP-8 (1) (2)
CP-9 (1)
CP-10 (2)
7. IA: Identification and Authentication (Technical Controls Category)
IA-1
IA-2
Identification and Authentication Policy and Procedures
Identification and Authentication (Organizational Users)
IA-1
IA-2 (1) (2) (3) (8) (11) (12)
IA-3
IA-4
IA-5
IA-6
IA-7
IA-8
Device Identification and Authentication
Identifier Management
Authenticator Management
Authenticator Feedback
Cryptographic Module Authentication
Identification and Authentication (Non-Organizational
Users)
IA-3
IA-4
IA-5 (1) (2) (3) (11)
IA-6
IA-7
IA-8 (1) (2) (3) (4)
8. IR: Incident Response (Operational Controls Category)
IR-1
IR-2
IR-3
IR-4
IR-5
IR-6
IR-7
IR-8
Incident Response Policy and Procedures
Incident Response Training
Incident Response Testing
Incident Handling
Incident Monitoring
Incident Reporting
Incident Response Assistance
Incident Response Plan
IR-1
IR-2
IR-3 (2)
IR-4 (1)
IR-5
IR-6 (1)
IR-7 (1)
IR-8
9. MA: Maintenance (Operational Controls Category)
MA-1
MA-2
MA-3
MA-4
MA-5
System Maintenance Policy and Procedures
Controlled Maintenance
Maintenance Tools
Nonlocal Maintenance
Maintenance Personnel
MA-1
MA-2
MA-3 (1) (2)
MA-4 (2)
MA-5
10. MP: Media Protection (Operational Controls Category)
MP-1
MP-2
MP-3
MP-4
MP-5
MP-6
MP-7
Media Protection Policy and Procedures
Media Access
Media Marking
Media Storage
Media Transport
Media Sanitization
Media Use
MP-1
MP-2
MP-3
MP-4
MP-5 (4)
MP-6
MP-7 (1)
11. PE: Physical and Environmental Protection (Operational Controls Category)
PE-1
PE-2
PE-3
PE-4
PE-5
PE-6
PE-8
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14
PE-15
PE-16
PE-17
Physical and Environmental Protection Policy and
Procedures
Physical Access Authorizations
Physical Access Control
Access Control for Transmission Medium
Access Control for Output Devices
Monitoring Physical Access
Visitor Access Records
Power Equipment and Cabling
Emergency Shutoff
Emergency Power
Emergency Lighting
Fire Protection
Temperature and Humidity Controls
Water Damage Protection
Delivery and Removal
Alternate Work Site
PE-1
PE-2
PE-3
PE-4
PE-5
PE-6 (1)
PE-8
PE-9
PE-10
PE-11
PE-12
PE-13 (3)
PE-14
PE-15
PE-16
PE-17
12. PL: Planning (Management Controls Category)
PL-1
PL-2
PL-4
PL-8
Security Planning Policy and Procedures
System Security Plan
Rules of Behavior
Information Security Architecture
PL-1
PL-2 (3)
PL-4 (1)
PL-8
13. PS: Personnel Security (Operational Controls Category)
PS-1
PS-2
PS-3
PS-4
PS-5
PS-6
PS-7
PS-8
Personnel Security Policy and Procedures
Position Risk Designation
Personnel Screening
Personnel Termination
Personnel Transfer
Access Agreements
Third-Party Personnel Security
Personnel Sanctions
PS-1
PS-2
PS-3
PS-4
PS-5
PS-6
PS-7
PS-8
14. RA: Risk Assessment (Management Controls Category)
RA-1
RA-2
RA-3
RA-5
Risk Assessment Policy and Procedures
Security Categorization
Risk Assessment
Vulnerability Scanning
RA-1
RA-2
RA-3
RA-5 (1) (2) (5)
15. SA: System and Services Acquisition (Management Controls Category)
SA-1
SA-2
SA-3
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
System and Services Acquisition Policy and Procedures
Allocation of Resources
System Development Life Cycle
Acquisition Process
Information System Documentation
Security Engineering Principles
External Information System Services
Developer Configuration Management
Developer Security Testing and Evaluation
SA-1
SA-2
SA-3
SA-4 (1) (2) (9) (10)
SA-5
SA-8
SA-9 (2)
SA-10
SA-11
16. SC: System and Communications Protection (Technical Controls Category)
SA-1
SA-2
SA-3
SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
SC-28
SC-39
System and Services Acquisition Policy and Procedures
Allocation of Resources
System Development Life Cycle
Acquisition Process
Information System Documentation
Security Engineering Principles
External Information System Services
Developer Configuration Management
Developer Security Testing and Evaluation
Protection of Information at Rest
Process Isolation
SA-1
SA-2
SA-3
SA-4 (1) (2) (9) (10)
SA-5
SA-8
SA-9 (2)
SA-10
SA-11
SC-28
SC-39
17. SI: System and Information Integrity (Operational Controls Category)
SI-1
SI-2
SI-3
SI-4
SI-5
SI-7
SI-8
SI-10
SI-11
SI-12
SI-16
System and Information Integrity Policy and Procedures
Flaw Remediation
Malicious Code Protection
Information System Monitoring
Security Alerts, Advisories, and Directives
Software, Firmware, and Information Integrity
Spam Protection
Information Input Validation
Error Handling
Information Handling and Retention
Memory Protection
SI-1
SI-2 (2)
SI-3 (1) (2)
SI-4 (2) (4) (5)
SI-5
SI-7 (1) (7)
SI-8 (1) (2)
SI-10
SI-11
SI-12
SI-16
18. PM: Program Management (Management Controls Family)
PM-1
PM-2
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
PM-12
PM-13
PM-14
PM-15
PM-16
Information Security Program Plan
Senior Information Security Officer
Information Security Resources
Plan of Action and Milestones Process
Information System Inventory
Information Security Measures of Performance
Enterprise Architecture
Critical Infrastructure Plan
Risk Management Strategy
Security Authorization Process
Mission/Business Process Definition
Insider Threat Program
Information Security Workforce
Testing, Training, and Monitoring
Contacts with Security Groups and Associations
Threat Awareness Program
all
all
all
all
all
all
all
all
all
all
all
all
all
all
all
all

Introduction:
When it comes to ensuring security for an organization’s information systems, one of the most important steps is creating an Information System Security Plan (ISSP). As a staff member supporting the Chief Information Security Officer (CISO), you may be required to research and draft an ISSP for a General Support System (GSS). In order to create an effective plan, it is important to gather information about the system, the individuals responsible for it, and any relevant regulations or policies.

Description:
The ISSP serves as a critical document for managing the security risks associated with an organization’s GSS. In order to create a comprehensive plan, it is important to include key information such as the system name and title, appropriate system categorization, the system owner, authorizing official, and other designated contacts. It is also crucial to assign security responsibility to a specific individual and indicate the operational status of the system. Additionally, a description of the system’s purpose and function, as well as a general overview of the technical system environment, must be included. Another critical component of an ISSP is a list of interconnected systems and information sharing agreements. Lastly, any applicable laws and regulations related to data confidentiality, integrity, or availability must also be listed. By taking all of these factors into consideration, a comprehensive ISSP can be created to effectively mitigate the risks associated with GSS.

Objectives:
– To create an Information System Security Plan for a General Support System
– To identify the appropriate system categorization and operational status
– To describe the system’s function/purpose and technical environment
– To list any related laws/regulations/policies

Learning Outcomes:
By the end of this task, the staff member will be able to:
– Define a General Support System and its components as per NIST SP 800-18
– Identify the system owner, authorizing official, and other designated contacts for a field office IT system
– Assign security responsibilities for a General Support System
– Describe the purpose/function and technical environment of a General Support System
– Identify any laws or regulations that apply to a General Support System and specify the required security controls

Solution 1:

Information System Security Plan

1. Information System Name/Title: Unique identifier and name given to the system. [use information from the case study]

Field Office General Support System (FOGSS)

2. Information System Categorization: Identify the appropriate system categorization [use the information from the case study].

FOGSS is categorized as a General Support System.

3. Information System Owner: Name, title, agency, address, email address, and phone number of person who owns the system. [Use the field office manager]

Field Office Manager: John Smith, ABC Agency, 123 Main Street, john.smith@abcagency.gov, 555-555-1212

4. Authorizing Official: Name, title, agency, address, email address, and phone number of the senior management official designated as the authorizing official. [Use the company’s Chief Information Officer.]

Chief Information Officer: Jane Doe, XYZ Corporation, 456 Market Street, jane.doe@xyzcorp.com, 555-555-1212

5. Other Designated Contacts: List other key personnel, if applicable; include their title, address, email address, and phone number. [include the CISO, the ISSO, and other individuals from the case study, if appropriate]

Chief Information Security Officer (CISO): Tom Johnson, XYZ Corporation, 456 Market Street, tom.johnson@xyzcorp.com, 555-555-1212

Information System Security Officer (ISSO): Sarah Jones, ABC Agency, 123 Main Street, sarah.jones@abcagency.gov, 555-555-1212

6. Assignment of Security Responsibility: Name, title, address, email address, and phone number of the person who is responsible for the security of the system. [use the case study information]

IT Security Manager: Mike Brown, XYZ Corporation, 456 Market Street, mike.brown@xyzcorp.com, 555-555-1212

7. Information System Operational Status: Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status. [Use the case study information.]

Operational: FOGSS is fully functional and operational.

8.0 Information System Type: Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in Section 9. General System Description/Purpose. [use the case study information]

General Support System: FOGSS is a General Support System.

9.0 General System Description/Purpose: Describe the function or purpose of the system and the information processes. [use the case study information]

FOGSS is an interconnected set of information resources that share common functionality, under the same direct management control of the Field Office Manager. It provides IT support to the field office. It includes several hardware and software components, such as workstations, servers, printers, databases, and applications necessary to perform the office’s tasks.

10. System Environment: Provide a general description of the technical system. Include the primary hardware, software, and communications equipment. [use the case study information and diagrams. Add brand names, equipment types as required (if not provided in the case study)]

FOGSS’s primary hardware includes servers, workstations, printers, and switches. The servers run the operating systems and hosting applications, databases, and data storage. The workstations are used by staff members to perform various office tasks. The printers are connected to the network and used to print documents. The switches connect the devices and create the local area network.

FOGSS’s primary software includes the operating systems and applications used to perform the office’s tasks. The operating systems include Windows Server and Windows 10. The applications include Microsoft Office, Adobe Reader, and other specialized software.

FOGSS’s primary communications equipment includes network cables, routers, switches, and firewalls.

11. System Interconnections/Information Sharing:

FOGSS is interconnected with several other systems used by the ABC Agency and other external organizations. These systems include the payroll system, human resources system, email system, and other IT support systems. The information sharing agreement was signed on September 15, 2020.

The authorizing official for the interconnection agreement is Jane Doe, Chief Information Officer of XYZ Corporation.

12. Related Laws/Regulations/Policies:

FOGSS must comply with several laws and regulations, including:

– Federal Information Security Modernization Act (FISMA)
– Health Insurance Portability and Accountability Act (HIPAA)
– National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
– XYZ Corporation’s IT Security Policies and Procedures

Solution 2:

Information System Security Plan

1. Information System Name/Title: Unique identifier and name given to the system. [use information from the case study]

Field Office General Support System (FOGSS)

2. Information System Categorization: Identify the appropriate system categorization [use the information from the case study].

FOGSS is categorized as a General Support System.

3. Information System Owner: Name, title, agency, address, email address, and phone number of person who owns the system. [Use the field office manager]

Field Office Manager: Mary Johnson, DEF Agency, 789 Oak Street, mary.johnson@defagency.gov, 555-555-1212

4. Authorizing Official: Name, title, agency, address, email address, and phone number of the senior management official designated as the authorizing official. [Use the company’s Chief Information Officer.]

Chief Information Officer: John Smith, ABC Corporation, 123 Main Street, john.smith@abccorp.com, 555-555-1212

5. Other Designated Contacts: List other key personnel, if applicable; include their title, address, email address, and phone number. [include the CISO, the ISSO, and other individuals from the case study, if appropriate]

Chief Information Security Officer (CISO): Tom Brown, ABC Corporation, 123 Main Street, tom.brown@abccorp.com, 555-555-1212

Information System Security Officer (ISSO): Jack Allen, DEF Agency, 789 Oak Street, jack.allen@defagency.gov, 555-555-1212

6. Assignment of Security Responsibility: Name, title, address, email address, and phone number of the person who is responsible for the security of the system. [use the case study information]

IT Security Manager: Sarah Jones, XYZ Corporation, 456 Market Street, sarah.jones@xyzcorp.com, 555-555-1212

7. Information System Operational Status: Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status. [Use the case study information.]

Operational: FOGSS is fully functional and operational.

8.0 Information System Type: Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in Section 9. General System Description/Purpose. [use the case study information]

General Support System: FOGSS is a General Support System.

9.0 General System Description/Purpose: Describe the function or purpose of the system and the information processes. [use the case study information]

FOGSS is an interconnected set of information resources that share common functionality, under the same direct management control of the Field Office Manager. It provides IT support to the field office. It includes several hardware and software components, such as workstations, servers, printers, databases, and applications necessary to perform the office’s tasks.

10. System Environment: Provide a general description of the technical system. Include the primary hardware, software, and communications equipment. [use the case study information and diagrams. Add brand names, equipment types as required (if not provided in the case study)]

FOGSS’s primary hardware includes servers, workstations, printers, and switches. The servers run the operating systems and hosting applications, databases, and data storage. The workstations are used by staff members to perform various office tasks. The printers are connected to the network and used to print documents. The switches connect the devices and create the local area network.

FOGSS’s primary software includes the operating systems and applications used to perform the office’s tasks. The operating systems include Windows Server and Windows 10. The applications include the XYZ Corporation’s proprietary software and other specialized software.

FOGSS’s primary communications equipment includes network cables, routers, switches, and firewalls.

11. System Interconnections/Information Sharing:

FOGSS is interconnected with several other systems used by the DEF Agency and other external organizations. These systems include the financial system, human resources system, email system, and other IT support systems. The information sharing agreement was signed on January 1, 2021.

The authorizing official for the interconnection agreement is John Smith, Chief Information Officer of ABC Corporation.

12. Related Laws/Regulations/Policies:

FOGSS must comply with several laws and regulations, including:

– Federal Information Security Modernization Act (FISMA)
– Health Insurance Portability and Accountability Act (HIPAA)
– National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
– ABC Corporation’s IT Security Policies and Procedures.

Suggested Resources/Books:
1. NIST Special Publication 800-18 Guide for Developing Security Plans for Information Technology Systems.
2. Cyber Security Handbook: Proactive Defense for Today’s Enterprise by Dr. Eric Cole.
3. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management by Thomas R. Peltier.
4. Information Security Management Handbook, Sixth Edition, Volume 7 by Hal Tipton.
5. CompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-501) by Glen E. Clarke.

Similar Asked Questions:
1. What is a general support system, and how does it differ from a major application system?
2. Who is responsible for system security in a field office, and how does that responsibility differ from the authorizing official?
3. What is an information system security plan?
4. What are the components of an information system security plan?
5. How do laws and regulations impact the development of an information system security plan?

Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more
× How can I help you?