Purpose:

To describe required elements of a system security plan

Standard:

  1. System security plans include the following:
    1. Description of the operational context.
    2. System categorization and information classifications of data to be used with the system, along with supporting justifications for those decisions.
    3. Inventory of the components that constitute the information system.
    4. Connections between the information system and any other systems.
    5. Overview of security requirements.
    6. Security controls that are in place or planned for implementation, including user responsibilities and how users will be trained.
    7. Dates and milestones for implementation of planned security controls, and remediation of vulnerabilities.
  2. Security plans must be reviewed and approved by the unit’s Information Security Administrator (ISA) and Information Security Manager (ISM).
  3. Security plans must be updated as part of any significant upgrades, configuration changes or software development. Plans must also be updated to reflect needed remediation when vulnerabilities or control deficiencies are identified. Security plans must be reviewed and updated at least every three years.

References:

SEC--‐‑RM--‐‑001: Information Security Risk Management Policy