The Information Security Office (ISO) will review and identify the applicable security frameworks – International Organization for Standardization, National Institute of Standards and Technology (NIST) Security Controls (SP800-53) and other identified industry standards to be applied and tailored within Washington University (WashU) departments and schools.
Controls will be assigned to create protection levels. Control assignments will be based on the information classification – (protected, confidential and public) and system classification (regulated, business, research, and academic) of the information created, hosted, or transmitted within the universities infrastructure.
The One Campus Security Posture Policy was designed to divide/segment the enterprise network into secure network segments or Domains of Trusts (DOT) is a step to create a layered infrastructure. This is consistent with moving security controls closer to the assets (information and infrastructure) they are intended to protect; a DOT implies a level of trust. A level of trust provides assurance to the chief-suite that information is protected by a known and measurable means; the means we consider as controls. Levels of trust suggest levels of assurance as well.
In order to have these assurances it is important for tenants of the trust domain to adhere to the controls established for them.
All Information Technology assets are required by policy to be placed in one of three established trust domains. This workbook will be used to complete any System Security Plan (SSP) in cases where the Information System or IT infrastructure has been classified into a DOT and requires a SSP by regulation, contract, or because risks to the university is high.
The controls in this work book also prescribe the expected protections required within each trust zone.
A key element of risk-based security, is the idea that defenses should reflect the level of risk to a system. The systems are rated as high, moderate, or low impact depending on the effect a breach of the system would have on the university or agencies mission. High-impact systems should be defended against “high-skilled, highly motivated, and well-resourced” threats, while systems or information that presents less impact can be defended with a lighter set of controls. Agencies and information owners will classify information and state the level of impact to the organization or agency if information is breached; this is typically known as a FIP199 categorization process.
This workbook will be used to complete any System Security Plan in cases where a government agency has designated in the contract the infrastructure/system should be protected at a LOW Impact level.
NIST 800-171 is a subset of requirements focused on information confidentiality taken directly from the NIST 800-53 publication that specifically apply to Controlled Unclassified Information (CUI) shared by the federal government with a non-federal entity.
The controls protect CUI in non-federal IT systems from unauthorized disclosure. Washington University in conducting research, frequently encounters CUI in carrying out the contracted work for federal agencies. This workbook should be used to complete any System Security Plan in cases where CUI has been designated or is expected to be received or generated during the research effort.
A System Security Plan (SSP) is a formal plan which documents the controls that have been selected to mitigate the risk of a system or infrastructure. It is a record of adherence to a control framework and defines the plan of action required to mitigate deficiencies. Controls are determined by a risk analysis and often are passed down through agency contracts or applicable laws.
A SSP is implemented in IT environments when required by agency contracts or when impact to information Confidentiality, Integrity, and Availability (CIA) are above university risk tolerance levels.
It is used to protect and control an information system. It also serves as a mechanism to demonstrate compliance to a set of standards and is given to the agency or prime contractors as a means to demonstrate compliance. It is created using the organization/IT environment security framework as the benchmark.
An SSP includes:
- List of authorized personnel/users/entities that can access the system/infrastructure and the authorizations that are permitted on the system
- A description of the system/infrastructure environment
- A definition of the system/infrastructure boundaries that are in scope of the plan and under the control framework.
- Access control methods, or how users will access the system (user ID/password, digital card, biometrics)
- Documented compliance to a control framework
If you are required to have an SSP or it has been determined that you should have one the template is where you should begin. Please consult with Information Security for additional guidance.