Security Planning And Contingency Planning NIST SP 800 100

Security Planning is important to receive an overview of the security needs of the system as well as a description of the controls existing or planned for satisfying those needs. Similarly, information technology contingency planning is an essential process for developing GSS (General Support Systems) and MA (Major Applications) with corresponding backup methods & procedures for applying data recovery as well as reconstitution against Information Technology risks. Let us explore more about these planning, which is described in the NIST SP-100-800.

Security Planning

System security plan defines responsibilities and anticipated behavior of entire individuals who involved in accessing the system. It should reproduce inputs from various officials with responsibilities regarding the systems, like the system owner, the information owners and the SAISO (Senior Agency Information Security Officer). Since the system security plan is an essential deliverable in the SDLC process, the users and officials who are responsible for describing the system needs should be familiar with the security planning process. The following guidance offers fundamental details on how to create a security plan with reference to the applicable federal needs and it’s effortlessly adaptable to different organizational structures.

Major Applications, General Support Systems, and Minor Applications

The entire information system should be covered by a security plan and categorized as MA (Major Application) or GSS (General Support System). System security plan for the minor applications aren’t needed since the controls for those applications are offered by the MA or GSS in their function. In those situations where the minor application isn’t connected to a GSS or MA, the minor application must be explained briefly in a GSS plan.

Security Planning Roles And Responsibilities

The organization should designate corresponding professionals within their organization in the following activities for effective security planning:

  • For periodic review, POA &M (Plans of action and milestones) and modification of system security plans

  • In reviewing the plan prior to schedule with certification and accreditation process

  • Follow up the security controls & updating them to ensure they meet the current situation

  • For analysing and confirm that the security controls, which are defined in the system security plan are reliable with the FIPS 199 security category

As we have discussed the roles and responsibilities in the blog, An Introduction To Information Technology – Roles and Responsibilities, here we listed some of the responsibilities, which are specific to the Information Security Planning.

Responsibilities Of Chief Information Officer

  • Appointing a SAISO to carry out the responsibilities of CIO for system security planning

  • Handling the determination, implementation & assessment of security controls

  • Supporting senior agency officials for system plans

  • Determining and developing security controls for the organization

Responsibilities Of Information System Owner

  • Creating the security plan in assistance with information owners, ISSO, the SAISO, the system administration and end users

  • Handling the system security plan & guaranteeing that the system is operated based on the security requirements

  • Guaranteeing that support personnel and system users receive the necessary security training and supporting in the determination, implementation, and evaluation of the security controls

Responsibilities Of Information Owner

  • Creating the rules for the proper use & protection of the data and information

  • Presenting input to the information system owners on the security controls and security requirements for the information systems

  • Deciding the types of privileges to the information system

  • Supporting in determining and evaluating the common security controls

Responsibilities Of Senior Agency Information Security Officer

  • Carrying out the responsibilities of the CIO for security planning

  • Supporting the development, review & acceptance of the system security plans with ISSOs, information system owners, and the authorizing officials

  • Supporting in determining, implementing, and evaluating the most common security controls

  • Processing professional qualifications like training & experience needed to develop & review security plans

Responsibilities Of Information System Security Officer

  • Supporting the SAISO in determining, implementing, and evaluating the most common security controls

  • Supporting the development & maintenance of the security plan

Rules of Behavior

The rules of behavior, a form of security control should clearly define responsibilities as well as the expected behavior of entire individuals who have access to the system. It should also state the significance of inconsistent behavior/noncompliance & be made obtainable to every user preceding to getting authorization for access.

System Security Plan Approval

Organizational policy should address who is accountable for system security plan approval & procedures created for plan submissions. Preceding to certification & accreditation process, the corresponding official independent from the organizational system owner generally approves the plan.

System Boundary Analysis and Security Controls

The impact levels of FIPS 199 must be focused while drawing the system boundaries and when choosing the baseline security controls. The baseline security controls can be tailored according to the risk assessment and local conditions such as:

  • Organization-specific security requirements

  • Cost-benefit analyses

  • Specific threat information

  • Special circumstances

  • Compensating controls availability

The process of exclusively assigning information resources to the information system describes the system’s security boundary. Organizations include flexibility in identifying what constitutes the information system. In case a group of information resources is determined as the information system, then the resources should be under the control of same direct management. It is also feasible for the information system to comprise multiple subsystems. A subsystem is defined as the major component or subdivision of the information system.

Security Controls

FIPS 200 present the 17 minimum security needs for information systems. An organization must satisfy minimum security needs in this standard by implementing security controls based on the designated influence degrees of the information systems. An organization includes the flexibility to modify the control baseline based on the terms & conditions. The modifying activities include:

  • Compensating controls specification

  • Scoping guidance application

  • Agency-defined parameters specification in the security controls

Scoping Guidance

The subsystem generally falls under the authority of the same management and are comprised within a single security plan. The following figure illustrates a GSS along with 3 subsystems:

nist scoping guide

Image source: NIST

Scoping guidance offers an organization with certain terms & conditions on the implementation and applicability of individual security controls. Security plans should determine which security controls applied scoping guidance & comprise a definition of the kind of considerations, which were made.

Compensating Controls

These controls are the operational, management or technical controls utilized by an organization in lieu of agreed controls in the high, moderate and low-security control baselines that offer comparable/equivalent protection for the information system.

Common Security Controls

An organization-wide prospect of the information security program enables the determination of the common security controls, which can be used to one or more organization information systems. Common security controls can be applied to:

  • Entire organization information systems

  • A group of systems at a certain site

  • Common information systems, applications or systems deployed at various operational sites

Security Control Selection

An organization must satisfy minimum security needs in FIPS 199 by choosing the proper security controls & assurance requirements to achieve enough security. However, this process is a risk-based and multifaceted activity involving operational and management personnel within the agency.

Completion and Approval Dates

The completion date for the security plan should be mentioned. It should be restructured every time the plan is reviewed and updated. The security plan should also include the date the designated authority and authorizing officials approve the plan.

Ongoing System Security Plan Maintenance

Once the security plan is accredited, then it should involve periodic assessment and review to ensure that the plan endures reflecting the proper details about the system. The items to be included in the review are:

  • Revolution in information system owner

  • Revolution in information security authority

  • Major revolution in system architecture

  • Revolution in system scope

  • Revolution in authorizing official

Information Technology Contingency Planning

Risks to the information systems may be technological, natural or human in nature. The contingency planning includes the process of recovery & documentation of procedures for performing recovery. The following figure illustrates the activities of contingency planning in each phase that should be stated during entire stages of the SDLC:

Information Technology Contingency Planning

Image source: NIST

The strategies of recovery should be assembled into the MA or GSS’s architecture on the development stage. The contingency processes must be tested & maintained at the implementation stage. The contingency plan should be drilled and maintained in the operation/maintenance stage. At the disposal stage, the legacy system should stay intact & operational as an eventuality to the system until the new information system has been tested.

Seven Step IT Contingency Planning Process

  1. Develop Contingency Planning Policy Statement

The first step in the developing IT contingency plan is establishing the contingency planning policy. The statement should describe the following things:

  • Entire contingency objectives

  • Roles & Responsibilities

  • Identify leadership

  • Resource requirements

  • Develop maintenance schedules

  • Test, training & exercise schedules


  1. Conduct Business Impact Analysis (BIA)

It is the critical step to aware the components of the information systems, impacts of potential downtime and interdependencies. It is conducted by determining the critical system's resources. The resources are further examined to identify how long the performance of the resources could be withdrawn from the system prior an unacceptable influence is experienced.

  1. Identify Preventive Controls

Implementing the preventive controls might address, outage influence determined by the BIA. Common preventive controls comprise:

  • Uninterruptible power supply

  • Nonelectronic records

  • Fire Suppression systems

  • Often, scheduled data backups

  1. Develop Recovery Strategies

Despite the preventive measures are implemented, there might be a chance for the occurrence of the disruption. Therefore, it is essential to place the recovery strategy to recover data as well as system operations. The strategies of the recovery are designed for the compilation of methods that together mitigates the entire spectrum of risks.

  1. Develop IT Contingency Plan

The recovery strategy executing procedures are charted in the Information Technology Contingency Plan. The plan is designed using the five important components as illustrated in the following figure:

5. Develop IT Contingency Plan

Image source: NIST

The supporting information & appendices phase offers the supplementary information, which is important to aware the context. The notification, recovery and reconstitution phases include the documentations of procedures.

  1. Plan Testing, Training, And Exercises

Officials responsible for executing the contingency plan should be trained to conduct the procedures, the system strategy should be tested and the plan should be exercised.

The planned testing should comprise:

  • System performance using substitute equipment

  • System recovery on a substitute platform from the backup media

  • System performance using substitute equipment

  • Notification procedures

Personnel training should comprise:

  • Security requirements

  • Plan Purpose

  • Cross-team coordination & communication

  • Individual responsibilities

  • Team-specific processes

Procedures plan exercise should be intended to individually examine and then collectively examine multiple components of the whole plan.

  1. Plan Maintenance

The contingency plan should always be kept in a ready state for applying instantly upon notification. The periodic reviews of the contingency plan should be performed for the currency of vendor information & key personnel, the recovery strategy, system components & dependencies, operational requirements and vital records.

Hope the information covered in this section regarding the system security planning and information system contingency planning will help you to effectively protect the organization.

    All Comments (0)

    No one has commented yet.

Leave a comment