To describe required elements of a system security plan
- System security plans include the following:
- Description of the operational context.
- System categorization and information classifications of data to be used with the
system, along with supporting justifications for those decisions.
- Inventory of the components that constitute the information system.
- Connections between the information system and any other systems.
- Overview of security requirements.
- Security controls that are in place or planned for implementation, including user
responsibilities and how users will be trained.
- Dates and milestones for implementation of planned security controls, and
remediation of vulnerabilities.
- Security plans must be reviewed and approved by the unit’s Information Security
Administrator (ISA) and Information Security Manager (ISM).
- Security plans must be updated as part of any significant upgrades, configuration changes
or software development. Plans must also be updated to reflect needed remediation when
vulnerabilities or control deficiencies are identified. Security plans must be reviewed and
updated at least every three years.
SEC‑RM‑001: Information Security Risk Management Policy