First Step in Completing the SSAA
In my opinion understanding the system you are working on is the most important part of writing an System Security Authorization Agreement (SSAA). Once you have an understanding of the how the system works, why the system is necessary and what the current status of the system is it becomes much easier to put the pieces together.
Although the SSAA is a very detailed document, much of the data in the document is filler information. You are gathering information on the system or the system being created in order to put together a comprehensive account of security of the system.
If you look at the outline below, you will see that much of the items require in the SSAA should already exist:
1. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION
2. ENVIRONMENT DESCRIPTION
3. SYSTEM ARCHITECTURAL DESCRIPTION
4. ITSEC SYSTEM CLASS
5. SYSTEM SECURITY REQUIREMENTS
6. ORGANIZATIONS AND RESOURCES
7. DITSCAP PLAN
SSAA OUTLINE <--- HERE
The difficultly comes when you have very little information of resources (such as engineers who have worked on the system or old documentation). That is when the SSAA gets tricky and each paragraph becomes like a mountain you must conquer.
I’ve found that most of my challenges come from legacy systems that do not fit into the modern day security needs of the organization. When this happens I don’t panic. I’m simply assessing the system an reporting the facts. It is the Designated Approval Authority that must ultimately take the risk.
Although the SSAA is a very detailed document, much of the data in the document is filler information. You are gathering information on the system or the system being created in order to put together a comprehensive account of security of the system.
If you look at the outline below, you will see that much of the items require in the SSAA should already exist:
1. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION
2. ENVIRONMENT DESCRIPTION
3. SYSTEM ARCHITECTURAL DESCRIPTION
4. ITSEC SYSTEM CLASS
5. SYSTEM SECURITY REQUIREMENTS
6. ORGANIZATIONS AND RESOURCES
7. DITSCAP PLAN
SSAA OUTLINE <--- HERE
The difficultly comes when you have very little information of resources (such as engineers who have worked on the system or old documentation). That is when the SSAA gets tricky and each paragraph becomes like a mountain you must conquer.
I’ve found that most of my challenges come from legacy systems that do not fit into the modern day security needs of the organization. When this happens I don’t panic. I’m simply assessing the system an reporting the facts. It is the Designated Approval Authority that must ultimately take the risk.
posted by elamb at 11:57 AM Permalink 
1 Comments:
This is very interesting information. Thanks for posting :)
Post a Comment
<< Home