reply to discussion below
The main purpose of having a System Security Plan (SSP) is to apply specific controls that mitigate the risk to IT systems of a particular site. This plan must also clearly identify the responsibilities of key personnel to include the Information Systems Security Officer (ISSO) and should be understood by all users of the information system. Since Red Clay Renovations Company has multiple field sites, each with a different ISSO and different architecture, each should have a separate SSP.
A one size fits all approach will not work for Red Clay Renovations Company because of the different field sites. Swanson, Hash, and Bowen (2006) explain that “System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls” (pg. 3). Some field offices may have different access control requirements to their systems that one of the other sites may not require. If there is only one SSP for the entire company, then it would conflict with the different requirements for the sites. This fact would limit the ability for “living documents” to be updated for what each site needs. Applying a one fits all strategy would essentially be a set of bureaucratic handcuffs preventing the sites from applying the specific controls that they really need to protect the security of their systems.
The ability for each of the sites to execute an incident response plan will require a specific SSP to identify key personnel at each site to carry out the plan. If Red Clay Renovations Company only had one SSP it would be more difficult to react to an incident. An SSP created for each site would be able to identify an incident response team at each site that would be able to react in a way that would support each site and they would be able to react quicker than an overall incident response team for the company. Orion Cassetto (2018) explains that “ the plan must have specific, actionable steps the team can follow quickly when an incident occurs. At the same time, creating rigid processes leads to complexity and an inability to deal with unexpected scenarios” (para. 8). Applying an SSP with a tailored incident response team will reduce the complexity and it will ease the difficulty of Red Clay Renovations Company’s ability to respond to an incident.
Lastly, the Baltimore field office, the Philadelphia field office, and the Wilmington headquarters will all require different physical environmental controls depending on the hazards that could harm each site. Educause (n.d.) explains that “The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment” (para. 1). Each site might have different requirements for physical deterrents depending on the neighborhood that the site is located and the crime in that neighborhood. Each site might also be affected by different natural disasters that would require one site to act will the other sites may be unaffected. This fact means that each site should have its own SSP that addresses the physical environmental controls that suites each sites needs.
References
Cassetto, O. (2018). What is an Incident Response Plan and Why Do You Need One? Retrieved from https://www.exabeam.com/incident-response/incident-response-plan/
Educause. (n.d.). Physical and Environmental Controls. Retrieved from https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/physical-and-environmental-controls
Swanson, M., Hash, J., & Bowen, J. (2006). Guide for developing security plans for federal information systems (NIST SP 800-18, Rev 1). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf