NIST 800-171 r2 - 3.12.4 reads: "Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems."
To prove to an assessor that you are periodically updating your System Security Plan, you need to snapshot it regularly. Here is the best way to do that in FutureFeed.
- Go to Deliverables>SSP Report
- Click the Word icon to generate a current copy of the SSP
- When the report is ready, click on the edit pencil next to it and approve the new version.
- Use the Version Notes - field to add any changes made since the last report was generated.
- The system will automatically record your name, date, and time of the approval of the report.
Done. You now have a record of updating your SSP.
Part Two: Remembering to update the SSP
So it is easy to snapshot the SSP and add version notes. But how do you remember to accomplish the task? Create a procedure with quick instructions and assign it to the Big Picture/Scope/SSP Accountable Employee.
Here are the steps:
- Go to Tech&Docs>Procedures and click "+" to create a new procedure
- Assign the "A" in RACI to the SSP Accountable Employee role
- Tag it to 3.12.4, so it will appear as evidence to the assessor
- Switch to the Task Assignments tab and create a new task
- Set it to recur monthly or quarterly, whatever your organization chooses
Done. Your accountable employee will get an email reminder whenever it is time to snapshot the SSP.
Screenshots below:
Screenshot of the procedure which is tagged to 3.12.4 so it will appear as evidence in that control:
Screenshot of the recurring task assigned to the SSP Accountable employee:
Evidence tab where the completed task will be stored:
Questions? Email support@futurefeed.co
Comments
0 comments
Please sign in to leave a comment.