"As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. It is a core component of DITSCAP. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Michael Kirby has developed a tool to help generate an SSP. It is available here on an as is basis, SCORE takes no responsibility for your use of the tool".

Try the tool: http://www.sans.org/score/ssp.php

Gideon T. Rasmussen
CISSP, CISA, CISM, IAM
Charlotte, NC
http://www.gideonrasmussen.com/contact.html

http://www.ussecurityawareness.org
http://groups.yahoo.com/group/insider-threat

Posted: Thu Aug 17, 2006 12:18 am

Copyright © 2002 - 2007 Gideon T. Rasmussen All Rights Reserved.
Legal Notices