Assignment: Design a security system for a small business and write an IT System Security Plan according to NIST 800-171. You will be graded on both the content and your level of understanding of the topic. Take a look at this outline downloadas a sample
Document Revision – document version, date, author, approval, etc.
Executive Summary – description of your company. Include major roles and responsibilities
System Identification – description of the “system” for which this plan applies. Include names, titles, contact info for the owners and managers. Include an organizational chart for the security personnel
System Operational Status – List how each part is Operational, Under Development, etc.
General System Description – narrative of what the system does, use cases, major input/outputs, etc.
System Environment – location, make/model of equipment, significant software, firewalls, DMZ. Include a network diagram
System Interconnections/Information Sharing – how they are shared, backed up, etc. Include ports and protocols
Security Controls – the components from NIST-800-171, Chapter 3
Base the plan on a fictional business that has a dedicated IT staff and 50-100 employees
This business has on-site servers for web, email, database, and line-of-business software
This business is connected to the internet and has both wired and wireless access
This business lets some employees access the network from home
This business collects customer CUI data
Design must include firewalls, DMZ, intrusion detection, wireless access points, VPN, etc
Include a network diagram showing the relevant parts of the security system (particularly what’s in the DMZ)
The security plan must be compliant with all of the requirements of NIST SP 800-171 (Chapter 3)
NIST SP 800-171 has 110 controls in 14 sections. You must address them all. You are allowed to say that a particular section is “not applicable” (but don’t abuse this category)
Familiarize yourself with the NIST SP 800-171 terms such as “CUI” and “security identifier”
You’ll need a lot more than just a short sentence that says “Yeah, we’re gonna do that”. Let me know that you understand… and include Who, What, When, Where, and Why
Just restating the topic as your solution won’t impress me much
Notes: Did you watch the Term Project Hints video?
Expectations: A single Microsoft Word document