The Key Components of a Systems Security Plan (SSP)

Systems Security Plan (SSP)

While the technology businesses rely on becomes more advanced every day, so do the cyberattacks that exploit it. For modern businesses, security vulnerabilities aren’t just worrisome; they are wreaking havoc in workplaces of all sizes.

No matter what your business, safeguarding your company’s data is a primary obligation that simply can’t be taken lightly. Data breaches can lead to exorbitant costs in extortion fees from ransomware, non-compliance fines and lost customers, which most businesses can’t afford.

If you are a C-level executive looking to develop stronger cybersecurity defenses in your workplace, creating a robust Systems Security Plan (SSP) is an excellent place to begin. We’ve outlined below some of the key aspects of a Systems Security Plan so that you can get started implementing greater protections for your systems:

What is an SSP?

A Systems Security Plan is documentation that outlines the functions and features of a system. It includes the hardware and software installed, security measures implemented and detailed processes for auditing the system. It provides information on controls put in place to limit access to certain users and training for system administrators and users. An SSP acts as a comprehensive list of all security policies that help keep your company’s data safe.

A business’s SSP also serves as a roadmap for its cybersecurity program so as to clearly define what defenses and controls should be put in place. This helps the business save time and money by having a clear plan to follow when implementing cybersecurity measures.

Developing an SSP is an ongoing process. Once your organization has performed an IT risk assessment and determined which cybersecurity controls should be put in place, the business should begin developing the SSP. Once the SSP is established, the business should perform a security control assessment to find gaps between the plan and its implementation. The business should then develop and implement a Plan of Actions and Milestones (POA&M) to fill in those gaps and ensure your data is protected.

How to Write an SSP

You should write your company’s security systems plan in accordance with the template provided by National Institute of Standards and Technology Special Publication (NIST) 800-171. This publication governs controlled unclassified information (CUI), which is especially important for government-contracted organizations.

Some companies charge their in-house IT team with using the template to develop an SSP. While some businesses have the resources and IT know-how to do this effectively, many organizations do not and will likely need to hire an IT consultant who can help establish an SSP for your business. Outsourcing a consultant can also allow you to continue focusing on productivity and day-to-day operations while the plan is being established.

When you’re ready to begin developing your SSP, below are key areas to make sure are included in the plan:

    • Defining system boundaries clearly
    • Ensuring both software and hardware inventory is complete
    • Providing a clear definition of data flow through the system
    • Outlining the implementation protocol and all responsible parties
    • Defining the implementation of the plan across every component

Communication Policy

One component your SSP should provide is a detailed outline of the use of company Internet resources such as email for legal and security reasons. Guidelines regarding personal Internet use, instant messaging and social media should also be outlined under the communications policy.

If your company reserves the right to monitor all the information stored on its systems together with communications sent through its network, it must state this in the SSP.

Privacy Policy

A company should also outline in its SSP restrictions for the distribution of company information. This involves copying, sharing and using the company’s data. This part of the SSP explains how the company will use its data and information. Copyright rules and infringements should also be stated under the privacy policy.

Network Security Policy

This is the anchor of any systems security plan. Everything related to the network’s security is documented under this policy. It lays the essential infrastructure for your company’s network security environment.

Below are some of the elements of a network security policy:

    • Remote access to company data
    • Security protocols for data handling
    • Password sharing, updates and strength
    • Use of external software on the company’s computers
    • Safe configuration of electronic devices, such as tablets, laptops, smartphones and storage device

Inappropriate Use

In the systems security plan, you should also document inept use of company-owned systems. Improper use is often fairly straightforward and generally includes the following:

    • Distributing malicious viruses
    • Engaging in criminal activities
    • Downloading unsuitable content
    • Accessing restricted sites

Everyone using your company’s system must know what is required of them in order to uphold the security policies outlined in your SSP. These policies should be written in simple language that each employee can understand. Business and legal implications should also accompany these policies.

As you continue to strengthen your cybersecurity defenses to protect against growing cyberthreats, it’s important to remember to come back to your SSP and adjust it accordingly. The more often you fill in the gaps between the plan and its implementation, the more protected your business will be.