Module 7 Assignment
Module 7 Assignment
Module 7 Assignment
Marc Leeka
Module 7 Assignment
December 5, 2016
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
Executive Summary
The objective of system security planning is to improve protection of information system resources. All
information systems have some level of sensitivity and require protection as part of good management
practice. The protection of a system must be documented in an information system security plan.
The purpose of an information system security plan (ISSP) is a formal process to provide an overview of
the security requirements of the system and describe the controls in place or planned for meeting those
requirements. The system security plan also delineates responsibilities and expected behavior of all
individuals who oversee the system. The system security plan should be viewed as documentation of the
structured process of planning adequate, cost-effective security protection for a system. It should reflect
input from various managers with responsibilities concerning the system, including information owners,
the system owner, and the Chief Information Security Officer.
This brief paper lays out the process to create an ISSP for a fictitious software company but the procedure
and templates could be used for almost any company. Depending on the size of the organization, some
sections may be omitted. If the organization possesses unique information assets, it will be necessary to
add sections that address the specific risk management, control and prioritization of those assets.
Because an ISSP is a living document, it has an expiration date with the expectation that the review and
reassessment of all information assets will be a continuous process. The expiration date can be repeatedly
renewed based on future review and the institution of new and more effective controls.
ii
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
1. Company Summary
The companys Chief Technology Officer was a founder. Soft-Technical recently hired a Chief
Information Security Officer who reports to the CEO and board. The companys IT Manager reports to
the Chief Operations Officer.
Soft-Technical has one Microsoft computer network that joins 140 computers to data stored on three
servers. Depending on which department the user is assigned, they have access to development
applications, accounting information or human resources information. The network is firewalled.
Employees are allowed to connect their personal cellphones and laptops wirelessly to the DMZ internet
but there is no wireless access to the network. The company provides remote customer support using a
commercial internet-connected product. Employees working at customer sites can connect to the Soft-
Technical network using Microsoft Remote Desktop. Soft-Technical does not host the web-based
applications developed by the company.
2.1 Roles
Information security is most effective when it is formalized, written and the participating parties agree to
their responsibility to ensure the security of assets. If the necessary tasks to ensure the information safety
are not specified and the effort is voluntary, the tasks are not prioritized in the organization. The
importance of information security is then relegated well behind the other time-consuming business
objectives such as increasing profits, lowering costs and rushing new products and services to market.
Because worker performance is generally evaluated with these other factors and not with information
security, there is a tendency for information security to be compromised in favor of other objectives.
Workers must be explicitly instructed how to act in ways that maintains information security. Some of the
most effective ways to accomplish this are through specific words appearing in job descriptions and
organizational unit mission statements. Even in those rare and progressive organizations where worker
performance evaluations include consideration of information security, there is still a need to be clear
about just what workers should be doing. When management is clear about roles and responsibilities, the
proper balance between security and competing objectives will also be much easier to strike.
Roles and responsibilities documentation also states the importance of information security and the
consequences of failing to prioritize safety and to exercise safe habits. Roles also help define disciplinary
actions up to and including termination. These intermediate disciplinary actions include denial of pay
raises, denial of bonuses, denial of promotions, denial of transfers to other organizational units, denial of
special training, and forced time off without pay. Besides providing a reference point for the worker
performance review process, clearly documented roles and responsibilities show what people should be
doing, how they should be doing it, and when they should be doing it. 1
1
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
The CISO is the top information security officer at Soft-Technical responsible for the assessment,
management and implementation of the organizations information security program. The CISO provides
organization information security oversight with specific competencies in information security practices.
The CISO also manages the office of information security personnel. Additionally the CISO: 2
manages the identification, implementation, and assessment of common security controls;
ensures that personnel with significant responsibilities for system security plans are trained;
assists senior management with their responsibilities for system security plans; and
is assigned as the Information System Owner.
The security manager is responsible for the day-to-day operation of the information security program. The
Security manager is responsible for policy development, risk assessment, contingency planning, and
operational and tactical planning for the security function.
The security administrator is responsible for the day-to-day operations and management of security
technology, as well as providing assistance in the development and conduct of training, programs and
policy. Additionally the security administrator analyzes and designs security solutions for specific
domains (firewall, IDS, antivirus).
The security officer creates and institute measures to safeguard sensitive information within a computer
network. He/she researches, develops, implements, tests and reviews the companys information security
in order to protect information and prevent unauthorized access. The security officer informs users about
security measures, explains potential threats, installs software, implements security measures and
monitors the network. He/she defines, creates and maintains the documentation for certification and
accreditation of each information system. He/she also assesses the impact resulting from system
modifications and technological advances. The security officer has the responsibility to deny
authorization to operate (or, if the system is already operational, halts operations) if unacceptable security
risks exist.
The security technician is responsible for the day-to-day configuration and management of IDPs, security
software and firewalls.
Organizations that effectively engage all employees to be responsible for information security have
published policies that are created by an organization-wide committee representing many stakeholder
interests. Similar to a policy committee, the ISSP can be written, revised and implemented by a
committee with organization-wide representation. Most of the ISSP components will require a technical
understanding of the companys information assets, but identification of those assets and implementation
of the plan will be enhanced by the inclusion of employees outside of the IT and information security
department.
2
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
2.2 Responsibilities
Certain basic information security functions should be present in any organization. It doesnt matter that
the functions are all organized under the information security department; all that is important is that the
functions are performed at some place in the organization.3
Most of the assignments will be to information security roles. A small or mid-sized organization may not
have personnel specifically hired for every role title, therefore some assignments may go to other
departments (for example, training may be assigned to human resources).
3
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
3 Planning
The ISSP will commence with an inventory of the hardware and software assets of the company.
Hardware can include computers, servers, firewalls, routers, switches, storage drives and other
components found at the business. Software includes the most common commercially-available
applications such as Microsoft Windows, Microsoft Office Suite and an antivirus software. All custom
applications must be included in the inventory. In most small and mid-sized organizations, the
information technology department will be assigned to inventory hardware and software because they are
most familiar with its location and configuration.
The hardware and software assets will be inventoried using this form:
Ownership assigned a unique system identifier for future identification, who owns it, and
identifies who has responsibility over the system in case the system fails to perform or this
individual assessment must be modified to address a new threat or system change.
System name
Owner and contact information
Other designated contacts and contact
information
Assignment of Security Responsibility
and contact information
Categorization based on the potential impact on an organization should certain events occur
which jeopardize the information and information systems needed by the organization to
accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its
day-to-day functions and protect individuals. Security categories are used in conjunction with
vulnerability and threat information in assessing the risk to an organization.
Security categorization Low Moderate High
System Description Purpose and interdependent connections to other systems (if those
systems were to fail, the threat could rollover to another system, or visa-versa)
Function or purpose of the system and
the information processes
Indicate if the system type is a major
application or a general support system
Technical system environment,
including primary hardware, software
and communications equipment
System interconnections/information
sharing
Current operational status operational under development Pending modification
Controls specific control baseline and governing policies (including meeting legal or regulatory
requirements, such as HIPAA or state and federal disclosure of employee information)
Minimum security controls baseline Low Moderate High
Governing laws/regulations/policies for
this control
Description of how all the minimum
security controls in the applicable
baseline are implemented or planned
4
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
to be implemented
Authorizations
Authorizing official, title, and contact
information
Revision version and date
Information System Security Plan
Approval date
Expiration
Form 1: Hardware and Software Asset Inventory
4 Risk Management
Information owners are employees who have been assigned responsibility for the proper management and
handling of a particular type of information on behalf of the company. Owners do not legally own the
information in question; they instead make decisions on behalf of the company, which legally owns the
information. An owner may delegate activities to another entity but an owner's responsibilities may not be
delegated. If an owner has not been officially assigned, the creator of the information will perform as an
interim owner.
Owners must understand how the information they are charged with overseeing is used inside and outside
of the organization. They must also understand the potential liabilities associated with the information,
including unauthorized disclosure, modification or deletion, plus the financial and legal consequences that
could be incurred. For this reason, owners are most often managers in charge of departments that use or
otherwise manage the information in question. Owners are responsible for approving all requests for
access to the information for which they are the designated owner.
Owners are responsible for classifying the company's information assets based on sensitivity and
criticality. Typical designations on a sensitivity scale are public, internal, confidential and restricted.
Criticality can be defined based on the number of hours, days, or weeks that may elapse before its
unavailability affects business operations.
The information assets (data) will be inventoried using this form. Subsequently the information will be
analyzed by the committee and the information assets will be ranked in order of importance.
5
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
Security controls in the security control catalog (NIST SP 800-53, Appendix F) have a well-defined
organization and structure. The security controls are organized into classes and families for ease of use in
the control selection and specification process. There are three general classes of security controls (i.e.,
management, operational, and technical). Each family contains security controls related to the security
function of the family. A standardized, two-character identifier is assigned to uniquely identify each
control family.
Cybersecurity is risk management. A component of that process is for organizations to identify assets,
assign a valuation to each asset, and make an estimation of the likelihood vulnerability may occur. By
6
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
knowing the value of information and the systems that ensure its flow, the organization can make rational
decisions about how much it should spend to protect its information.
Rather than calculate a quantitative valuation, it may be easier for most organizations to make a
qualitative risk assessment. Detailed calculations to assign a number value to assets and potential losses
are not used in this method, therefore a security guidance committee is more likely to come to unanimity
quicker. Obtaining answers to these questions can quickly guide the committee to rank and prioritize its
recommendations.
Which information asset is the most critical to the success of the organization?
Which information asset generates the most revenue?
Which information asset generates the highest profitability?
Which information asset is the most expensive to replace?
Which information asset is the most expensive to protect?
Which information assets loss or compromise would be the most embarrassing or cause the greatest
liability?
Information systems security planning is an on-going process that is revised when the organization
changes its mission, new laws and regulatory mandates are made, or systems undergo major revision.
Contingency planning is an on-going process that is revised when the organization changes its mission,
new threats are identified, disruptions occur to challenge and test the previously made plans, or new or
more cost-effective technologies emerge to strengthen the planning.
Information assets have control baselines that are recorded into the device inventory. It is the
responsibility of the organization to continuously monitor for any deviation in security controls. The
organization may find it less expensive to engage outsource services to perform a thorough test of its
security controls.
Contingency planning is planning and preparation for the unwanted. Contingency planning involves
preparing for, detecting and reacting to unexpected events with minimum cost and disruption by
establishing plans, procedures and technical measures to recover all or part of compromised information
systems.4
Contingency planning consists of three planning components that reflect time elements related to the
business operation in the event of disruption. Contingency planning first identifies business processes and
the impact a system disruption would have and its estimated downtime. Downtime is the duration that
critical system resources are unavailable in an outage, and every organization has different maximum
downtime it can accept or tolerate before there is an unacceptable impact on the business mission or other
system resources. The three contingency planning elements are:
Incident response planning (the immediate response plan to an interruption);
Disaster recover planning (restoring operations at the primary site after disasters occur); and
Business continuity planning (establishment of operations at an alternate site).
7
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
The committee will review the information asset inventory and create a viable contingency plans for the
organization. Planning will identify natural (earthquakes, floods, power disruption) and man-made
scenarios (cyberattack, employee attack, disturbed employee with weapons).
5 Implementation Timeline
In this proposal, the ISSP has been deconstructed into smaller milestones. The ISSP committee will
review the subcomponents and agree to an overall program timeline.
6 Supplemental Budgeting
Implementation of an ISSP may identify information assets that are not protected or those that have
insufficient security controls, in the judgement of the oversight committee. The converse could also
occur, where some assets are over-protected when the committee compares the value of the asset and its
risk against the expense for its security.
Additional net funding for the organizations security program will require approval from upper
management. The committee will detail the cost, description and justification in its request for additional
funding.
8
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
A senior management official (a role assigned in the prior Roles section) must authorize a system to
operate. The authorization of a system to process information, granted by a management official (the
Security Officer in some organizations, the CEO in very small organizations), means the authorizing role
formally accepts the risk associated to the information assets identified in the plan. It means that, in
granting authorization, the authorizing role has reviewed the management, operational, and technical
controls of the information assets.
Authorization has an expiration date by which the security plan must be reviewed, revised and renewed.
Re-authorization should occur at least once every three years or earlier if there is a significant change in
the system architecture, a significant change in important processes, or if new, significant threats are
discovered.
Ultimately these improvements will effectively protect and reduce risk to the organizations information
assets. Upon implementation, Soft-Technical can confidently:
ensure the security and confidentiality of our employees and customers information;
9
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka
protect against anticipated threats or hazards to the security or integrity of our employees and
customers information, and the information that ensures our business success;
protect against unauthorized access to or use of employee or customer information that could result in
substantial harm or inconvenience to either, deviation from Soft-Technicals mission and subsequent
harm to Soft-Technicals reputation;
ensure the organization is compliant with all applicable laws and regulations that protect employee
and customer information;
gain cost savings as a result of security review and optimization so as to more effectively balance
security measures to the risk posed by the information asset; and
increase the companys long-term viability by investing all employees into a security posture.
References
10