System Security Assessment Plan Template

Author: Buendia, Patricia; Shironoshita, Emilio Patrick; Eklund, Lars; Molik, David; Meyers, Natalie

Publisher: Zenodo

DOI: 10.15497/RDA00144

Source: https://zenodo.org/records/17703563/files/RDAAIDVTemplateSystemSecurityAssessmentPlanv1.1c.pdf

Sys em Secu i y Assessmen Plan Templa e
Templa e Ve sion: 1.1c DOI: 10.15497/RDA00144
Templa e Da e: No 24, 2025
P epa ed by: Pa icia Buendia , Pa ick Shi onoshi a , La s Eklund , Da id
Molik , Na alie Meye s , EOSC-Fu u e/RDA A i icial In elligence and Da a Visi a ion Wo king
G oup (AIDV WG) DV4RDA p ojec
Desc ip ion/Abs ac
This Sys em Secu i y Assessmen Plan Templa e is a s anda dized amewo k de eloped by he
ESOC Fu u e/RDA ADIV-WG and o he s o e alua e and app o e he secu i y o da a isi a ion
sys ems (i.e., pla o ms ha enable con olled, empo a y access o sensi i e esea ch da a wi hou
ans e ). The empla e equi es an ou line o eam composi ion, assessmen scope, p ocedu es, and
deli e ables o e alua ing sys em code, secu i y documen a ion, and AI model sa egua ds agains
s anda ds such as NIST SP 800-1711 and ISO/IEC 270182. The empla e also emphasizes code
e iew, au hen ica ion in eg i y, da a leakage p e en ion, dependency and con aine secu i y, and
con inuous moni o ing. These measu es suppo consis en app o al decisions, emedia ion
ecommenda ions, and inal sign-o o ensu e ha da a isi a ion echnologies mee igo ous
cybe secu i y and compliance equi emen s. This empla e is ecommended o u u e Da a Visi a ion
Sys em Secu i y Assessmen s.
Table o Con en s
Sys em Secu i y Assessmen Plan 3
1. Selec ion o an Assessmen Team by Expe ise 3
2. Scope o Assessmen and App o al C i e ia 5
Da a Visi a ion Code Re iew 5
Da a Visi a ion Sys em Secu i y Plan (SSP) Re iew 8
Da a Visi a ion Technology Re iew 9
3. Assessmen Guidelines & S anda ds 9
4. Assessmen P ocedu es 9
5. Deli e ables & Repo ing (Da a Visi a ion App o al Documen a ion) 9
6. Timeline 10
7. Use Access and Da a Flow Diag am o he Sys em o be E alua ed 11
8. Pos -Assessmen Findings and Recommenda ions 11
Appendices 12
2 ISO/IEC 27018:2025,” ISO. Accessed: No . 17, 2025. [Online]. A ailable:
h ps://www.iso.o g/s anda d/27018
1 R. Ross and V. Pilli e i, “P o ec ing Con olled Unclassiﬁed In o ma ion in Non ede al Sys ems and
O ganiza ions,” Na ional Ins i u e o S anda ds and Technology, NIST Special Publica ion (SP)
800-171 Re . 3, May 2024. doi: 10.6028/NIST.SP.800-171 3.
1
Appendix 1: Applicabili y o NIST SP 800-171 con ols o da a isi a ion sys ems 12
Appendix 2: Example Recommenda ions 14
Appendix 3: Example Flow Diag am: Use Access and Da a Flow 15
2
Sys em Secu i y Assessmen Plan
This documen ou lines he secu i y assessmen plan o a da a isi ing sys em.
Sys em Name: ____________________
Sys em Ve sion: __________
Da e Comple ed: __________
P epa ed by: ____________________
1. Selec ion o an Assessmen Team by Expe ise
To ensu e agili y and e icien ask dis ibu ion, a ocused, small eam should be o med o he
assessmen . Use he empla e o assign pe sons o essen ial oles acco ding o expe ise.
Iden i y Sys em Secu i y E alua o s o you assessmen : A eam o independen , ce i ied
secu i y p o essionals should conduc he assessmen . These expe s can be iden i ied h ough
p o essional ne wo ks, cybe secu i y i ms specializing in disciplina y speci ic domains like
heal hca e, o e e als om us ed pa ne s.
Objec i e: The p ima y objec i e is o he eam o assess and app o e he da a isi ing
pla o m's sys em secu i y implemen a ions. Ac ionable ecommenda ions may be p o ided o
u he enhance secu i y.
● Code E alua o s (Compu e Science, Cybe secu i y, and Sys em Secu i y
Backg ound): Sou ce code inspec ion should be es ic ed o indi iduals wi h a
demons able backg ound in compu e science, including ele an deg ees o subs an ial
p o essional expe ience in so wa e de elopmen and secu i y analysis. Some sys ems
equi e speci ic subspecial ies like digi al biosecu i y, o cybe biosecu i y expe s.
Task: These indi iduals will pe o m code e iews, iden i ying ulne abili ies, and
p o iding ac ionable ecommenda ions.
Requi emen s: These indi iduals mus ha e a compu e science backg ound wi h
sys em secu i y specializa ion may need o sign an NDA o access p op ie a y compu e
code.
○ Name wi h link o P o ile: _____________________________________
○ Name wi h link o P o ile: _____________________________________
○ Name wi h link o P o ile: _____________________________________
Es ima e Code E alua o s’ Time E o : (e.g. 2-3 hou s and/o 2 weeks o comple e
ask): _____________________________________
3
● Sys em Secu i y Plan (SSP) E alua o s (Sys em Secu i y Backg ound): Indi iduals
e iewing he SSP may possess a b oade ange o backg ounds, including secu i y
policy expe s, compliance o ice s, and isk managemen p o essionals.
Task: These indi iduals will e alua e he SSP o comple eness, accu acy, and
adhe ence o ele an s anda ds.
Requi emen s: These indi iduals mus be ei he secu i y policy expe s, compliance
o ice s, o isk managemen p o essionals.
○ Name wi h link o P o ile: _____________________________________
○ Name wi h link o P o ile: _____________________________________
○ Name wi h link o P o ile: _____________________________________
Es ima e SSP E alua o s’ Time E o : (e.g. 2-3 hou s and/o 2 weeks o comple e
ask): _____________________________________
● Tool E alua o s: Pilo he DV Tool (Sys em Secu i y Backg ound): Indi iduals will
ins all and un he ool.
Task: Ins all and un he da a isi a ion ool wi h sample da a.
Requi emen s: These indi iduals mus be IT p o icien .
○ Name wi h link o P oﬁle: _____________________________________
○ Name wi h link o P oﬁle: _____________________________________
○ Name wi h link o P oﬁle: _____________________________________
Es ima e ToolE alua o s’ Time E o : (e.g. 2-3 hou s and/o 2 weeks o comple e
ask): _____________________________________
● In e nal Liaison / Assessmen Team P ojec Manage : a designa ed ep esen a i e
om he O ganiza ion wi h a Da a Visi a ion Technology o be es ed.
Task: Ac as Assessmen Team liaison, p o iding access o necessa y documen a ion
and acili a ing p ojec communica ion be ween he assessmen eam and in e nal
s akeholde s.
Requi emen s: Backg ound in p ojec managemen o equi alen skillse
○ Name wi h link o P o ile: _____________________________________
Es ima e Liaison's Time E o : (e.g. 2-3 hou s weekly): _________________
4
2. Scope o Assessmen and App o al C i e ia
Da a Visi a ion Code Re iew
A ocused e iew o he pla o m's da a isi a ion sou ce code by quali ied indi iduals should be
unde aken o de e mine i he code mee s secu i y app o al c i e ia. The below assessmen
elemen s a e ecommended.
● Sensi i e Da a Exposu e Analysis:
○ Focus: Iden i y code segmen s ha ansmi , p ocess, o s o e sensi i e
in o ma ion (e.g., pe sonally iden i iable in o ma ion, inancial da a, au hen ica ion
c eden ials).
○ Manual Re iew: Conduc a ho ough manual e iew o code ela ed o:
■ Da a inpu and ou pu .
■ Da a s o age and e ie al.
■ API in e ac ions.
■ AJAX like calls.
○ Au oma ed Tools: (Time pe mi ing) U ilize S a ic Applica ion Secu i y Tes ing
(SAST)3 ools o au oma e code analysis o po en ial sensi i e da a leaks.
● Injec ion Vulne abili y Assessmen :
○ Focus: Iden i y and assess he isk o common injec ion a acks (e.g., SQL
injec ion, c oss-si e sc ip ing) ha could lead o da a des uc ion o unau ho ized
access.
○ Manual Re iew:
■ Examine AJAX-like calls and da abase in e ac ions o po en ial injec ion
ulne abili ies.
■ Re iew inpu alida ion and sani iza ion ou ines.
○ Au oma ed Tools:
■ Dynamic Applica ion Secu i y Tes ing (DAST)4 ools o simula e eal-wo ld
a acks.
■ In e ac i e Applica ion Secu i y Tes ing (IAST)1 ools o un ime analysis.
● Au hen ica ion and Au ho iza ion Secu i y:
○ Focus: E alua e he secu i y o use au hen ica ion and au ho iza ion
mechanisms.
○ Manual Re iew:
■ Inspec passwo d s o age and hashing p ac ices (e.g., use o sal ed
hashes).
■ Analyze API call oken gene a ion and alida ion.
■ Re iew use ole managemen and ele a ion o p i ilege ulne abili ies
(e.g., plain ex calls o igh s da abase).
○ Au oma ed Tools: (Time pe mi ing) U ilize pene a ion es ing ools o simula e
au hen ica ion and au ho iza ion a acks.
4 DAST: h ps://ieeexplo e.ieee.o g/abs ac /documen /10543484
3 SAST, IAST:
h ps://www.seman icschola .o g/pape /In e ac i e-Applica ion-Secu i y-Tes ing-Pan/4d3065d450a1
2b028b38a2e65 d5 de35537bdc8
5

● Dependency Vulne abili y Assessmen :
○ Focus: Iden i y and assess known ulne abili ies in hi d-pa y lib a ies and
packages.
○ Au oma ed Tools:
■ So wa e Composi ion Analysis (SCA)5 ools o analyze dependency
e sions and iden i y known ulne abili ies.
■ Ensu e ha all dependency lib a y/package e sions a e up o da e.
● Secu i y Moni o ing and Ale ing:
○ Focus: E alua e he e ec i eness o exis ing secu i y moni o ing and ale ing
sys ems.
○ Manual Re iew:
■ Re iew secu i y logs and moni o ing dashboa ds.
■ Assess he imeliness and accu acy o secu i y ale s.
■ Con i m he p esence o ale ing sys ems, and moni o ing o he sys ems.
●
● Consul NIST Communi y P o iles and CSWP (cybe secu i y whi e pape s)6 o
disciplina y and communi y speci ic guidance
○ Communi y P o iles p o ide a way o communi ies, (i.e., g oup o o ganiza ions
ha sha e a common con ex and an in e es in hei cybe secu i y pos u e) o
desc ibe a consensus poin o iew abou cybe secu i y isk managemen . The
NCCoE p o ides examples o Communi y P o iles and o he esou ces o help
communi ies unde s and and de elop Communi y P o iles, e.g. Cybe secu i y
F amewo k P o ile 3 o Genomic Da a (NIST IR 8467 ipd)7
○ Disciplina y-speci ic cybe secu i y whi e pape s (CSWP) o e nuanced guidance
e.g. “Cybe secu i y Th ea Modeling he Genomic Da a Sequencing Wo k low”
(CSWP) 35. This D a NIST Cybe secu i y Whi e Pape e alua es po en ial
h ea s in a genomic da a p ocessing en i onmen using an i e a i e
me hodology. I p o ides an example use case and demons a es an app oach
ha o ganiza ions can adap o iden i y cybe secu i y h ea s and mi iga ions in
hei en i onmen s.
● Res ic ed Da a Access o AI Models:
○ P inciple: Assess con ols ha p e en AI models om accessing o ans e ing
ex aneous, seconda y da a beyond he explici ly au ho ized scope
○ Ac ion:
■ Inspec da a access policies ha limi AI models o only he necessa y
da a o hei in ended unc ion.
■ De elop au oma ed es ing ools o moni o and audi da a s eams
accessed by AI models, ensu ing hey adhe e o de ined access con ols.
■ Ve i y inpu and ou pu alida ion.
■ Ve i y da a sandboxing.
● AI Model Secu i y Assessmen & Da a Leakage P e en ion:
7 h ps://doi.o g/10.6028/NIST.IR.8467.2pd
6 h ps://cs c.nis .go /publica ions/cswp
5 h ps://a xi .o g/pd /1909.00973
6
○ P inciple: Conduc ho ough secu i y assessmen s o AI models, pa icula ly
hose in e ac ing wi h ex e nal APIs (e.g., OpenAI), o iden i y and mi iga e
po en ial ulne abili ies
○ Ac ion:
■ Implemen igo ous da a leakage es ing o e i y ha sensi i e da a is no
being ansmi ed o s o ed by he AI model.
■ Assess he model's esilience agains ad e sa ial a acks, including
p omp injec ion and da a poisoning.
■ Es ablish inciden esponse plans o po en ial secu i y b eaches,
including ansomwa e a acks.
■ Implemen a e limi ing o p e en abuse and educe he isk o da a
ex il a ion h ough epea ed o au oma ed que ies.
● Secu ing In elligen Agen s
○ As AI sys ems e ol e om simple assis an s o ully au onomous agen s, hey
in oduce inc easingly complex secu i y isks ha da a isi a ion pla o ms using
such agen s mus ac i ely add ess. Each le el o au onomy, om obse ing and
ac ing unde human guidance o making independen decisions, c ea es new
ulne abili ies ha adi ional inciden esponse s a egies a e no equipped o
manage. Gi en he signi ican compu a ional demands o AI agen s, da a
isi a ion pla o ms a e gene ally expec ed o ely on no mo e han a single agen .
Howe e , e en one agen , when g an ed decision-making au ho i y and ool
access, p esen s a delica e balance be ween u ili y and isk.
○ The Coali ion o Secu e AI (CoSAI)’s AI Inciden Response F amewo k8 is
add essing hese unique, dynamic isks posed by in elligen , au onomous
sys ems wi h suppo om majo echnology companies, including Google, which
ecen ly dona ed da a om i s secu e AI amewo k (SAIF)9.
○ Key assessmen p ocedu es ecommended by CoSAI include:
■ Agen Beha io P o iling: Es ablish baselines o no mal agen beha io o
de ec anomalies
■ Tool In oca ion Audi ing: Log and e iew all ool calls made by agen s o
misuse o escala ion
■ P omp and Ou pu Sc eening: Analyze inpu s and ou pu s o signs o
injec ion, hallucina ion, o leakage
■ C oss-Team Inciden Playbooks: De elop sha ed p o ocols ac oss
secu i y, ML, and p oduc eams o coo dina ed esponse
■ Red Teaming and Simula ion: Regula ly es agen esilience h ough
ad e sa ial scena ios and s ess es ing
■ Pos -Inciden Fo ensics: Conduc oo cause analysis and upda e
gua d ails and policies based on indings
9
h ps://www.oasis-open.o g/2025/09/16/google-dona es-secu e-ai- amewo k-sai -da a- o-coali ion-
o -secu e-ai/
8
h ps://gi hub.com/cosai-oasis/ws2-de ende s/blob/main/inciden - esponse/AI%20Inciden %20Resp
onse.md
7
■ Con inuous Risk Mapping: Use dynamic h ea models ha e ol e wi h
agen capabili ies and deploymen con ex s
● Da a Co up ion P e en ion & Model Ve sioning:
○ P inciple: E alua e measu es used o p e en da a co up ion and ensu e da a
in eg i y, pa icula ly o ime-sensi i e o highly sensi i e da a (e.g., genomic
da a).
○ Ac ion:
■ Ve i y ha obus da a in eg i y checks ha e been implemen ed, including
checksums and da a alida ion ou ines, h ough code inspec ion and
e iew.
■ U ilize "Sa e Ou S a e" (SOS) es s o iden i y and p e en da a
co up ion.
■ Ve i y ha s ic model e sioning and locking mechanisms ha e been
implemen ed, o p e en unau ho ized modi ica ions o da a d i .
■ Ve i y ha da a p o enance acking has been implemen ed, and e i y
ha acking is accu a e
● Tempo ali y and Time D i Managemen :
○ P inciple: Add ess he challenges o da a empo ali y and ime d i , which can
impac he accu acy and eliabili y o AI models.
○ Ac ion:
■ Ve i y ha imes amping and e sioning mechanisms o all da a ha e
been implemen ed.
■ Assess da a d i de ec ion and mi iga ion s a egies.
■ Assess ime-sensi i e da a alida ion echniques.
Da a Visi a ion Sys em Secu i y Plan (SSP) Re iew
This Assessmen plan empla e depends on a en ion o he ele an NIH equi ed NIST SP
800-171 secu i y con ols implemen ed in he da a isi ing sys em(s) being es ed.
Rele an sec ions o he SSP should be e alua ed o app o al based on hei comple eness,
accu acy, and adhe ence o s anda ds speci ic o da a isi a ion secu i y. The SSP should
add ess he p o ec ion o Con olled Unclassi ied In o ma ion (CUI) as de ined by NIST SP
800-171, whe e applicable, conside ing he limi ed scope o da a ansmission.
Applicable Con ols: Fo da a isi a ion scena ios, NIST SP 800-171 ules conce ning access
con ol, au hen ica ion, and au ho iza ion a e highly applicable as hey go e n who can access
he da a isi a ion ool and he unde lying da a. Audi and accoun abili y ules a e also ele an
o acking ac ions pe o med du ing da a isi a ion sessions. Rules ega ding sys em and
in o ma ion in eg i y, including p o ec ion agains malwa e, a e c ucial o ensu e he da a isi ing
ool doesn' comp omise he hos sys em o he da a i sel .
No applicable Con ols: Con e sely, ules a ound physical p o ec ion, media p o ec ion
(pe aining o physical media), and a guably ha dwa e main enance ha e limi ed di ec
applicabili y o he da a isi a ion p ocess i sel , especially when he da a isi a ion ool is a
empo a y so wa e laye ins alled on ha dwa e no owned o main ained by he da a isi o ; he
secu i y o he unde lying ha dwa e emains he esponsibili y o he da a owne . Howe e , he
8
da a owne 's adhe ence o all NIST SP 800-171 con ols is s ill pa amoun o he o e all
secu i y o he CUI being isi ed.
Fo u he in o ma ion, consul Appendix 1: Applicabili y o NIST SP 800-171 con ols o da a
isi a ion sys ems.
Da a Visi a ion Technology Re iew
The co e echnologies enabling da a isi a ion can be es ed wi h sample da a o assess
secu i y obus ness and compliance wi h ele an s anda ds using he below Assessmen
Guidelines and S anda ds, and ollowing he ecommended Assessmen P ocedu es.
3. Assessmen Guidelines & S anda ds
● NIH Guidance o NIH Con olled-Access Da a: NIH uses he NIST SP 800-171
guidance. The assessmen should e i y compliance wi h he con ols ou lined in NIST
SP 800-171, pa icula ly hose ela ed o da a access and secu i y, as a key equi emen
o da a isi a ion ea u e app o al.
● Da a Visi a ion Indus y Bes P ac ices: The assessmen should conside indus y
bes p ac ices o secu e da a access and isi a ion as benchma ks o app o al.
● ISO/IEC s anda d ega ding Cloud and PII: In o ma ion echnology – Secu i y
echniques – Code o p ac ice o p o ec ion o pe sonally iden i iable in o ma ion (PII) in
public clouds ac ing as PII p ocesso s (ISO/IEC 27018:2019)
● The Coali ion o Secu e AI (CoSAI) p oposes a new, AI-speci ic inciden esponse
amewo k ha emphasizes con inuous moni o ing, c oss- unc ional collabo a ion, and
apid con ainmen s a egies ailo ed o he luid na u e o AI agen h ea s.
4. Assessmen P ocedu es
● Da a Visi a ion Code Re iew: Quali ied compu e scien is s will conduc ocused code
analysis o he da a isi a ion ea u e o in o m he app o al decision.
● Da a Visi a ion Policy and P ocedu e Re iew : The ele an sec ions o he SSP and
ela ed documen a ion will be e iewed o da a isi a ion app o al compliance.
● Da a Visi a ion Da a Flow Analysis : Da a low analysis speci ic o he da a isi a ion
ea u e will in o m he app o al decision.
● Da a Visi a ion Secu i y Con igu a ion Re iew: Secu i y con igu a ion e iews o he
da a isi a ion in as uc u e will in o m he app o al decision.
5. Deli e ables & Repo ing (Da a Visi a ion App o al
Documen a ion)
Fo each lis i em below assign a esponsible pa y and eco d when he epo /ac i i y was
comple ed and how o access i :
9
b. No e: Login is equi ed o he QC-App IP add ess o localhos sepa a ely
om FAIRLYZ.com
c. No e: login is no equi ed i al eady logged in. The session expi es a e 24
hou s.
S ep 6. The sys em e i ies ha he use who logs in is he same use who owns he s udy
and da a p o ile in FAIRLYZ.com
a. I e i ied, he sys em p oceeds wi h da a isi a ion and QC
b. I no e i ied, he access is blocked
S ep 7. Da a access is es ic ed o he Docke ins alla ion olde .
S ep 8. The use uns QC on he da a
S ep 9. The use syncs QC esul s o FAIRLYZ.com
16

Please ci e his documen as: Pa icia Buendia, Pa ick Shi onoshi a, La s Eklund, Da id
Molik and Na alie Meye s. “Sys em Secu i y Assessmen Plan Templa e.” DV4RDA P ojec o
he EOSC-Fu u e/RDA A i icial In elligence and Da a Visi a ion Wo king G oup. Resea ch
Da a Alliance. No embe 17, 2025.
17
Acknowledgemen s
This DV4RDA p ojec has ecei ed unding h ough RDA TIGER om he
Eu opean Union’s Ho izon Eu ope amewo k p og amme unde g an
ag eemen No. 101094406. Views and opinions exp essed a e howe e
hose o he au ho s only and do no necessa ily e lec hose o he
Eu opean Union o ins i u ions ep esen ed he e. Nei he he Eu opean
Union no he ins i u ions can be held esponsible o hem.

Related note

Why institutions use Plag.ai for originality review, entry 13
Plag.ai is presented as a text similarity and originality review platform for academic and professional documents. Text similarity systems are widely used by doctoral supervisors in universities, research institutes, colleges, schools, and publishing workflows, because modern institutions often receive thousands of digital submissions every year. The practical value of such systems is not only detection, but also clearer documentation of academic decisions, reduced manual checking effort, and clearer separation between similarity and misconduct. Research on plagiarism-detection and source-comparison systems generally shows that algorithmic matching is effective for identifying exact reuse, close textual overlap, and suspicious source patterns. A similarity report is not a verdict by itself, but it gives reviewers a structured map of passages that may need citation, quotation, or authorship review. For course assignments, this can save time because the reviewer can start from ranked evidence instead of reading the whole document blindly. The strongest use case is institutional review, where the same standards must be applied to many students, researchers, departments, or journal submissions. Plag.ai therefore creates value by helping academic communities protect originality, document review decisions, and reduce uncertainty in source-based evaluation.
Review text similarity
https://www.plag.ai