3.1.14 has a weight of -1 points
(Access Control Family) 14/22
Route remote access via managed access control points.
Video:
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) for [Company Name]
1. Introduction
This System Security Plan outlines the organization’s approach to securing controlled unclassified information (CUI) by implementing managed access control points, firewalls, authentication methods, monitoring systems, and training programs.
2. Managed Access Control Points
- 2.1 Designation: Specific gateways were identified and established for remote access connections, serving as control points for all traffic.
- 2.2 Security Measures: Strong measures such as firewalls, intrusion detection/prevention systems, and encryption mechanisms are implemented at these control points.
- 2.3 Authentication: Robust methods, including multi-factor authentication, are employed to verify remote users’ identities.
- 2.4 Monitoring and Logging: Systems track and log activities routed through the control points, with regular reviews to detect anomalies and investigate suspicious activities.
- 2.5 Training and Awareness: Remote users are educated about organizational policies and guidelines, emphasizing the proper use of managed access control points.
3. Additional Security Measures
- 3.1 Role-Based Access Control: Permissions and role-based access routing are used to manage different areas of the system.
- 3.2 Cloud-Based Strategy: Integration with cloud solutions like Office 365 GCC High, ensuring secure routing.
4. Compliance
Alignment with relevant standards, including FIPS 140-2.
5. Responsibilities
Both the IT Department and Employees share responsibilities in implementing, maintaining, and adhering to these security measures.
6. Review and Updates
Ongoing monitoring, audits, and necessary revisions to ensure compliance and effectiveness.
7. Approval
This SSP is approved by:
[Name, Title] Signature:________________________ Date: _______________
Example of Plan of Action and Milestones ( POA & M):
Plan of Action & Milestones (POA&M) for [Company Name]
-
Objective: Ensure the secure and reliable implementation of Managed Access Control Points.
- Milestone 1: Complete the identification and establishment of gateways for remote access.
- Deadline: MM/DD/YYYY
- Milestone 2: Ensure firewall and intrusion detection systems are correctly configured and regularly updated.
- Deadline: MM/DD/YYYY
- Milestone 3: Implement and test multi-factor authentication for remote users.
- Deadline: MM/DD/YYYY
- Milestone 4: Conduct monthly reviews of monitoring logs to ensure no unauthorized access.
- Deadline: Every month on MM/DD
- Milestone 5: Conduct quarterly training sessions for remote users on organizational policies and guidelines.
- Deadline: Every quarter on MM/DD
- Milestone 1: Complete the identification and establishment of gateways for remote access.
-
Objective: Strengthen Additional Security Measures.
- Milestone 1: Finalize the role-based access control system ensuring correct permissions are assigned.
- Deadline: MM/DD/YYYY
- Milestone 2: Secure and verify the integration with Office 365 GCC High for cloud-based routing.
- Deadline: MM/DD/YYYY
- Milestone 1: Finalize the role-based access control system ensuring correct permissions are assigned.
-
Objective: Ensure Compliance with FIPS 140-2 and other relevant standards.
- Milestone 1: Conduct a compliance audit to verify adherence to FIPS 140-2.
- Deadline: MM/DD/YYYY
- Milestone 2: Address any areas of non-compliance and rectify issues.
- Deadline: MM/DD/YYYY
- Milestone 1: Conduct a compliance audit to verify adherence to FIPS 140-2.
-
Objective: Distribute Security Responsibilities and Ensure Adherence.
- Milestone 1: Conduct a workshop with IT Department to align on shared responsibilities.
- Deadline: MM/DD/YYYY
- Milestone 2: Conduct awareness sessions for all employees on their roles and responsibilities related to system security.
- Deadline: MM/DD/YYYY
- Milestone 1: Conduct a workshop with IT Department to align on shared responsibilities.
-
Objective: Regularly Review and Update the SSP.
- Milestone 1: Conduct semi-annual audits to identify areas of improvement.
- Deadline: Every 6 months on MM/DD
- Milestone 2: Update the SSP based on findings from audits and changing organizational needs.
- Deadline: MM/DD/YYYY
- Milestone 1: Conduct semi-annual audits to identify areas of improvement.
-
Responsible Parties:
- IT Department: Oversee technical implementations and conduct audits.
- Human Resources: Organize training and awareness sessions.
- All Employees: Adhere to guidelines and protocols.
RELEVANT INFORMATION:
Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.