William,

A System Security Plan (SSP) documents the controls that have been selected to mitigate the risk of a system. The controls are determined by the Risk Analysis that provide a catalog of controls with templates. The SSP lists important information about the system including the system owner, name of the system, and list of security controls selected for the system (UAB Research, 2019). Each control listing includes a sufficient description which would allow the system owner or an auditor to verify the effectiveness of that control. The SSP is the main document of a security package in which a Content Security Policy (CSP) describes all the security controls in use on the information system and their implementation. Once completed, an SSP provides a detailed narrative of a CSP’s security control implementation, a detailed system description including components and services inventory, and detailed depictions of the system’s data flows and authorization boundary (FedRamp, 2019).

Every company is different and branches within that company may be different as well. This implies that they will have different risks. For example, an e-commerce company has a completely different risk profile than a manufacturer that sells products through channels. The company needs to understand its specific risks, so they know what to focus on. This does not have to be an extremely formal process but does need to be recorded and updated (Covington, 2016). The risk-based nature of the SSP makes planning ahead even more important. It gives the entire team at a facility the time and perspective to look at the facility and its security as a whole. For many companies that are going to mean a much smoother SSP submittal and approval process.

One-Size fits all approach is not the most effective for every organization. Implementation of separate plans for each field office will allow Red Clay Renovations to keep systems secure and mitigate system risk in the most cost-effective manner. Implementing policies that protect company assets and information from destruction or disclosure will help to ensure the confidentiality and integrity of information and systems. Therefore, Red Clay Renovations must create and implement a separate SSP for each field office.

Reference

UAB Research. (2019). What is a System Security Plan? Retrieved from https://www.uab.edu/research/administration/office…

FedRamp. (2019). Developing a System Security Plan (SSP). Retrieved from https://www.fedramp.gov/developing-a-system-securi…

Covington, R. (2016). When it comes to security standards, one size doesn’t fit all. Retrieved from https://www.csoonline.com/article/3054556/when-it-…