Added 4/1/03:

As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NIACAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. It is a core component of DITSCAP. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Michael Kirby has developed a tool to help generate an SSP. It is available here on an as is basis, SANS takes no responsibility for your use of the tool.

Security Research Projects

• Attack Attribution
• System Security Plan
• Bastille-Linux Scripts to Secure Linux and HP-UX