An organization implements a cybersecurity program to reduce cyber risk. A System Security Plan (SSP) is the roadmap for your organization’s cybersecurity program. Without an System Security Plan, the program is destined to take wrong turns and end up lost, all of which costs the organization time and money. Worst case scenario is that the organization’s IT system runs off the road and wrecks—a compromise resulting in a data breach—which then costs the organization much more: reputation, regulatory fines, lawsuits, etc.
After an organization performs an IT Risk Assessment, it can determine which cybersecurity controls (requirements) best help to mitigate risk. The organization uses its System Security Plan to develop policies and describe the operational and managerial processes and technology it will implement to meet those controls. Once the plan is developed, the organization can perform a security control assessment to discover gaps between the plan and the current state of implementation. The organization then develops and executes a Plan of Actions and Milestones (POA&M) to shore up those gaps and get “cyber healthy”. This cycle of Risk Assessment–>System Security Plan–>Control Assessment–>POA&M is a repeating process. The System Security Plan therefore is not a “fire and forget” exercise; it must be nurtured and maintained in a constantly changing risk environment.
If your organization operates in a regulatory environment such as health care, financial, privacy, or government sectors, (HIPAA, SOX/GLBA, GDPR, DFARS) much of the risk is already apparent and governments have already selected minimum controls for the organization. It’s a matter of ensuring your System Security Plan addresses all of these controls. But what if you are just worried about protecting the intellectual property of your small business? Or say you want to reduce the risk of having to pay Bitcoin to some Eastern European crime syndicate to unlock your system from ransomware? What control set should you choose? How do you develop an System Security Plan that makes sense for your organization?
For small businesses we recommend the controls published in the National Institutes of Standards and Technology (NIST) Special Publication 800-171. This document outlines 14 groups or “families” of baseline security controls designed for an organization of any size to use to develop a robust System Security Plan and kick off a cybersecurity program. The families cover a broad spectrum of cybersecurity requirements, all designed to ensure the confidentiality, integrity, and availability of your organization’s important information and systems. By planning and implementing policies, processes, and technology to meet the 110 controls in 800-171, your organization will most definitely lower its cybersecurity risk.
With a decade of experience behind us developing enterprise-grade System Security Plans for the US Federal Government, Totem Technologies can help organizations of any size and in any regulatory environment develop and manage their System Security Plan. Traditionally, developing an System Security Plan meant reams of paperwork and binders full of policies, and lots of references to corporate “legalese” documents gathering dust on shelves. Kind of like using a globe for a roadmap. We take a different approach: with our Totem™ Cybersecurity Planning tool, we turn what used to be a paper drill into a clean and concise cloud-based user experience. Totem™ is like your GPS cellphone map. Contact us today for a free trial of Totem™ and let us help you get your cybersecurity program on the road again.