organization must create a cybersecurity profile (system security plan (SSP))
for all of its major and minor information systems. The cybersecurity profile
documents the current and planned controls for the system and addresses
security concerns that may affect the system’s operating environment. The
cybersecurity profile includes security categorizations and security controls,
and is included in the certification and accreditation package. For this
project, you will create a sample cybersecurity profile describing the security
posture of your selected organization.
After completing this project, students
will be able to
1. Select and incorporate appropriate management,
technical, and operational security controls into a system security plan.
2. Integrate and evaluate management, technical, and
operational controls in the context of an information security program.
3. Develop a sample System Security Plan for an
Your sample cybersecurity profile should
be at least five full pages, double spaced, 1-inch margins, in New Times Roman
12-pitch font, with a cover page (name, course number, date, title of paper)
and a reference page. The cover page and reference page are not included in the
five-page minimum. Papers not meeting the five full-page minimum will lose
points. You must have at least three sources, correctly formatted per APA
guidelines. Submit your research paper to the appropriate TurnItIn assignment
area by the due date.
Description of Learning Activity
1. Read NIST Special Publication 800-53 Rev 4 Guide for
Assessing the Security Controls in Federal Information Systems and Organizations,
Building Effective Security Assessment Plans.
2. Review the sample System Security Plan template in
Description area of the classroom.
3. Select one management, one technical, and one
operational control from the eighteen family controls that apply to your
selected organization (i.e., AU – Audit and Accountability).
4. Describe each family control. Include why these
controls are required.
5. For each family control, select two associated
family identifiers (i.e., AU-3 Content of Audit Records).
6. Describe each associated family identifier, describe
the implementation status as it relates to your selected organization’s
security program, and describe how your selected organization implements the
7. Write your sample cybersecurity profile. At a minimum,
the profile should include
1. an Introduction that includes the purpose of your
paper and introduces security profiles as they relate to your selected
2. an Analysis section that includes Items 3–6 above
3. a Conclusion that summarizes what you wrote