Photo: Sunset on the San Diego Coast, California, February 2013.
Abstract: Information Systems Security Plan (ISSP)
1: Company Summary
2: Management
3: Planning
4: Implementation Management
5: Risk Management
6: Cost Management
7: Analysis & Recommendation Management
8: Student Assessment of ISSP to Cyber Management
Abstract: Information Systems Security Plan (ISSP)
When an executive is considering cybersecurity they must focus on risk management. According to the textbook, Cybersecurity for Executives: A Practical Guide, “cybersecurity is about risk management. It is about protecting your business, your shareholders’ investments, and yourself while maintaining competitive advantage and protecting assets.” (Touhill, 2014) The executive must make sure to not get too far into the weeds with the technical aspects of cybersecutiy. Their job must be focused on a managerial perspective rather than a “tech-head.” This will allow the technical subject matter experts to not be stifled by micro managing executives and at the same time allows the executives to focus on the business management side of cybersecurity. Taking this approach a Participative Leadership Style would most likely benefit an executive in leading the organization in tackling cybersecurity issues. In a participative leadership style a manager delegates authority to the staff, giving them responsibility to complete the tasks. (McCready, 2016) The biggest requirement for managers, and consequently executives, is integrity. If a manager lacks integrity then the morale of the subordinates will suffer resulting in less productivity. Integrity is one of the absolute requirements of managers. (Drucker, 2011)
There are many factors that must be considered and included in a corporate Information Systems Security Plan (ISSP). The main factor that must be implemented is an incident response program. According to SANS institute, “any incident is an undesired event for an organization and having a well thought out incident response program provides a layer of protection for an organization providing logical steps to keep the event from escalating out of control.” (Behm, 2003) SANS lays out the incident response plan into six phases: Preparation, Identification, Containment, Eradication, Recovery, and Follow-up. (Behm, 2003) The incident response plan with its six phases shall be executed by a team of people who have the training, talent, and equipment to respond to incidents in a timely and effective manner.
Investments must be made in the cyber security program to protect the organizations critical, financial, and business investments. Although the initial costs of implementation per PC may seem high they are small in comparison to a cyber-attack that compromises the hardware, software, and steals PII and PHI of employees and customers. The risk also lies in compromising of proprietary information and trust in the organization.
There are many factors that must be considered and included in a corporate Information Systems Security Plan (ISSP). The main factor that must be implemented is an incident response program. According to SANS institute, “any incident is an undesired event for an organization and having a well thought out incident response program provides a layer of protection for an organization providing logical steps to keep the event from escalating out of control.” (Behm, 2003) SANS lays out the incident response plan into six phases: Preparation, Identification, Containment, Eradication, Recovery, and Follow-up. (Behm, 2003) The incident response plan with its six phases shall be executed by a team of people who have the training, talent, and equipment to respond to incidents in a timely and effective manner.
Investments must be made in the cyber security program to protect the organizations critical, financial, and business investments. Although the initial costs of implementation per PC may seem high they are small in comparison to a cyber-attack that compromises the hardware, software, and steals PII and PHI of employees and customers. The risk also lies in compromising of proprietary information and trust in the organization.
1: Company Summary
1.1 Enterprise Architecture: Sua Sponte Consulting is currently develop, design, launch, and maintain a cyber monitoring service and to identify likely types of hardware/software needed. The existing Sua Sponte Consulting cyber security program was developed and launched in 2001. Sua Sponte Consulting is determined that the information systems need to be more secure, and better protect sensitive information belonging to Sua Sponte Consulting, its customers, and employees for improved information security to attract potential clients.
Sua Sponte Consulting is a small business that was founded in 1974 and is focused on project management consulting and the implementation of best practice processes and solutions. Our client base consists of other small and medium-sized businesses as well as local, state, and federal government organizations which lack project management experience and expertise.
Sua Sponte Consulting is consolidated in its headquarters in San Diego, California with some consultants traveling to and working from client sites on a temporary basis.
Our services include:
Sua Sponte Consulting is a small business that was founded in 1974 and is focused on project management consulting and the implementation of best practice processes and solutions. Our client base consists of other small and medium-sized businesses as well as local, state, and federal government organizations which lack project management experience and expertise.
Sua Sponte Consulting is consolidated in its headquarters in San Diego, California with some consultants traveling to and working from client sites on a temporary basis.
Our services include:
- Project and Program Management (all phases)
- Process Improvement
- Human Capital Resource Management
- Project and Program Management Training (small scale)
2: Management
2.1 Roles and Responsibilities: According to lecture by McCready Leadership is defined as “the ability to influence a group toward the achievement of goals.” (McCready, 2016) Although this definition of a leader plays a part in management, it does not encapsulate the term management. McCready defines management as “the use of authority inherent in designated formal rank to obtain compliance from organizational members.” (McCready, 2016)
Perhaps a better way to describe management is by describing the basic operations in the work of the manager. “First, a manager sets objectives. Second, a manager organizes. They analyze the activities, decisions, and relations needed. They classify the work. Divide it into manageable jobs. Third, a manager motivates and communicates. Fourth, a manager creates way to measure progress. The manager creates targets and yardsticks. Finally, a manager develops people, including themselves.” (Drucker, 2011) These five basic operations of a manager will be the yardstick used to define a manager.
A manager has the integrity to take extreme ownership. “Managers take responsibility for contribution. And integrity rather than genius is the basic requirement for managers.” (Drucker, 2011) Integrity is a basic requirement for management because managers must take ownership of the good as well as the bad. This is extreme ownership; it is having the integrity to own the situation even when things went badly.
The CIO is the approval authority for the Information Systems Security Plan.
The CISO is responsible for the development, implementation, and maintenance of the Information Systems Security Plan and associated standards and guidelines. (Palmer, 2000)
The Compliance Officer shall be responsible for ensuring Sua Sponte Consulting’s monitoring adheres to applicable laws and regulations. (Johnson, 2015) The position of Compliance Officer within Sua Sponte Consulting shall be held by the Senior IT manager, and must be approved by the CIO and CISO.
The Administrators and Managers are responsible for creating procedures that ensure information at rest and in transit adhere to the Information Systems Security Plan. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
2.2 Planning Management: Cyber security, according to Touhill, “is a holistic set of activities that are focused on protecting an organization’s vital information. Cyber security includes technologies employed to protect information. Effective cyber security preserves the confidentiality, integrity, and availability of information, protecting it from attack by bad actors, damage of any kind, and unauthorized access by those who do not have a “need to know.”” (Touhill, 2014) The bad actors include, but are not limited to nation-states, organized crime, hackers, hacktivists, insider threats, and substandard products and services. (Touhill, 2014) Cyber security managers must be ready to protect against all possible threats. They must be constantly learning about new technologies, new threats, and at times, be creative in mitigating those threats. All this must be done in the most cost effective way.
2.3 Implementation Management: Sua Sponte Cunsulting shall keep a hybrid model for their cyber security operations. An organization that adopts a hybrid model for cyber security operations will have a small in-house staff that contributes to cyber security operations as well as a robust managing staff to oversee the operations of not only the in-house staff but also the contractors. Using the hybrid model the organization will be able to save money on payroll by outsourcing the bulk of the cyber security operations to contractors. The hybrid model will also cut the cost of annual training and maintaining a professional IT staff. The Implementation Management POC shall be the CISO.
2.4 Risk Management: To executives, the cyber security managers may seem to spend large amounts of funds while producing no products. The cyber security manager must seek to limit costs while also keeping the risks to the enterprise system low. When justifying costs to executives, the cyber security manager may define cyber security according to Touhill, “Cyber security is about risk management. It is about protecting your business, your shareholders’ investments, and yourself while maintaining competitive advantage and protecting assets.” (Touhill, 2014)
Making cyber security about risk management helps nontechnical managers better understand the monetary investment into cyber security. Cyber security does not produce a product to sell to customers; rather it protects the organizations current investments. Those investments may include employee and customer health information, banking information, or corporate proprietary information that makes the company millions of dollars.
2.5 Human Resource Management: The Human Resources Management shall be responsible for creating and enforcing the rules of behavior. The rules of behavior is an official document which all persons with access to the system must read and sign that they understand the expectations and responsibilities of their behavior on the organizations systems. (Swanson, 2006) Once they sign they have acknowledged that they have read and agreed to follow the rules of behavior. By signing they also recognize that they will be held accountable for any abuses or negligence in not following the rules of behavior. The POC for the Human Resources Management shall be the President of Human Resources Department.
2.6 Cost Management: The manager’s greatest concern has always been and shall always be the organizations economic budget. “Business management must always, in every decision and action, put economic performance first. It can justify its existence and its authority only by the economic results it produces.” (Drucker, 2011) This is where management in cyber security becomes difficult. Cyber security does not produce a product that makes money. Cyber security spends money to protect the organization from bad actors. Cyber security managers must objectively show how their contributions save the organization money in both the short and long terms through the application of security mechanisms.
Business management is always about financial profits. Cyber security management is about protecting the information that allows the business managers to make those profits. Although it appears at first look that business management and cyber security management are at odds with each other over making money and spending money, the reality is that they must work in concert with each other for the organization to reach its full monetary potential.
Perhaps a better way to describe management is by describing the basic operations in the work of the manager. “First, a manager sets objectives. Second, a manager organizes. They analyze the activities, decisions, and relations needed. They classify the work. Divide it into manageable jobs. Third, a manager motivates and communicates. Fourth, a manager creates way to measure progress. The manager creates targets and yardsticks. Finally, a manager develops people, including themselves.” (Drucker, 2011) These five basic operations of a manager will be the yardstick used to define a manager.
A manager has the integrity to take extreme ownership. “Managers take responsibility for contribution. And integrity rather than genius is the basic requirement for managers.” (Drucker, 2011) Integrity is a basic requirement for management because managers must take ownership of the good as well as the bad. This is extreme ownership; it is having the integrity to own the situation even when things went badly.
The CIO is the approval authority for the Information Systems Security Plan.
The CISO is responsible for the development, implementation, and maintenance of the Information Systems Security Plan and associated standards and guidelines. (Palmer, 2000)
The Compliance Officer shall be responsible for ensuring Sua Sponte Consulting’s monitoring adheres to applicable laws and regulations. (Johnson, 2015) The position of Compliance Officer within Sua Sponte Consulting shall be held by the Senior IT manager, and must be approved by the CIO and CISO.
The Administrators and Managers are responsible for creating procedures that ensure information at rest and in transit adhere to the Information Systems Security Plan. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
2.2 Planning Management: Cyber security, according to Touhill, “is a holistic set of activities that are focused on protecting an organization’s vital information. Cyber security includes technologies employed to protect information. Effective cyber security preserves the confidentiality, integrity, and availability of information, protecting it from attack by bad actors, damage of any kind, and unauthorized access by those who do not have a “need to know.”” (Touhill, 2014) The bad actors include, but are not limited to nation-states, organized crime, hackers, hacktivists, insider threats, and substandard products and services. (Touhill, 2014) Cyber security managers must be ready to protect against all possible threats. They must be constantly learning about new technologies, new threats, and at times, be creative in mitigating those threats. All this must be done in the most cost effective way.
2.3 Implementation Management: Sua Sponte Cunsulting shall keep a hybrid model for their cyber security operations. An organization that adopts a hybrid model for cyber security operations will have a small in-house staff that contributes to cyber security operations as well as a robust managing staff to oversee the operations of not only the in-house staff but also the contractors. Using the hybrid model the organization will be able to save money on payroll by outsourcing the bulk of the cyber security operations to contractors. The hybrid model will also cut the cost of annual training and maintaining a professional IT staff. The Implementation Management POC shall be the CISO.
2.4 Risk Management: To executives, the cyber security managers may seem to spend large amounts of funds while producing no products. The cyber security manager must seek to limit costs while also keeping the risks to the enterprise system low. When justifying costs to executives, the cyber security manager may define cyber security according to Touhill, “Cyber security is about risk management. It is about protecting your business, your shareholders’ investments, and yourself while maintaining competitive advantage and protecting assets.” (Touhill, 2014)
Making cyber security about risk management helps nontechnical managers better understand the monetary investment into cyber security. Cyber security does not produce a product to sell to customers; rather it protects the organizations current investments. Those investments may include employee and customer health information, banking information, or corporate proprietary information that makes the company millions of dollars.
2.5 Human Resource Management: The Human Resources Management shall be responsible for creating and enforcing the rules of behavior. The rules of behavior is an official document which all persons with access to the system must read and sign that they understand the expectations and responsibilities of their behavior on the organizations systems. (Swanson, 2006) Once they sign they have acknowledged that they have read and agreed to follow the rules of behavior. By signing they also recognize that they will be held accountable for any abuses or negligence in not following the rules of behavior. The POC for the Human Resources Management shall be the President of Human Resources Department.
2.6 Cost Management: The manager’s greatest concern has always been and shall always be the organizations economic budget. “Business management must always, in every decision and action, put economic performance first. It can justify its existence and its authority only by the economic results it produces.” (Drucker, 2011) This is where management in cyber security becomes difficult. Cyber security does not produce a product that makes money. Cyber security spends money to protect the organization from bad actors. Cyber security managers must objectively show how their contributions save the organization money in both the short and long terms through the application of security mechanisms.
Business management is always about financial profits. Cyber security management is about protecting the information that allows the business managers to make those profits. Although it appears at first look that business management and cyber security management are at odds with each other over making money and spending money, the reality is that they must work in concert with each other for the organization to reach its full monetary potential.
3: Planning
3.1 Information Security Implementation: An organization needs each employee to have the necessary access to the network in order to complete production. This access must be balanced with the necessity to protect data loss from multiple threats. To accomplish this task the organization will require an information security plan and have that plan properly governed. “Desired outcomes of information security governance include aligning Information Security with Business Strategy, Risk Management to Reduce Potential Impacts, Effective Resource Management with Information Security, Performance Measures with Organization Objectives, and Optimize Information Security with Organization Objectives: defines how much security is enough.” (McCready, 2016) Information governance is about balancing the business objectives with the information security requirements of the organization.
3.1.1 Physical security: Physical security shall include Closed Captioned Television (CCTV), dead bolt locks on doors, a security alarm system for the building, and a security patrol officer for the building and parking structure. The POC for physical security policy shall be the CISO.
3.1.2 Access control: Access control to the building and department sections shall be determined by access badges that must be worn at all times. The access badges will be coded to a scramble key pad that must be scanned and have the proper access code entered. To access user stations a Common Access Card (CAC) must be entered into a card reader and have the unique access code entered. The POC for access control policies shall be the CISO.
3.1.3 Website Data Security: Website Data Security shall be the responsibility of the CISO. The CISO shall be the POC for the Website Data Security policy.
3.1.4 Mobile and Cloud service: Mobile devices that are not provided by Sua Sponte Consulting shall not be permitted to connect to the information system. Sua Sponte Consulting shall back-up all data to an off-site Cloud service. The POC for the Mobile and Cloud service shall be the CISO.
3.1.5 Timely Integration of Information: For each interconnection between systems that are owned or operated by different organizations, the following information concerning the authorization for the connection to other systems or the sharing of information must be provided:
3.1.6 System Development and Maintenance: The completion date of the system security plan shall be 31 December, 2018. The completion date shall be updated whenever the plan is annually reviewed and updated. When the system is updated, a version number shall be added. The system security plan shall also contain the date the authorizing official (CIO), or the designated approving authority (CISO) approved the plan. Approval documentation shall be on file as part of the plan.
The system security plan shall annually review any change in the system status, functionality, design, etc., and ensure that the plan continues to reflect the correct information about the system. This documentation and its correctness are critical for system certification activity. All plans shall be reviewed and updated annually. Some items to include in the review are:
3.2 Contingency Planning: A successful contingency program will have a well laid out contingency plan. “A Contingency Plan includes Data Backup, Disaster Recovery, Emergency Mode Operation, Testing and Revision Procedures, and Applications and Data Criticality Analysis.” (ONC, 2014) Using these steps in a training program that requires planned testing and planned exercises followed by review and an update plan will prepare the organization in the event of a disastrous loss of data and/or capabilities. “The best risk management programs have well-defined processes, well-trained and motivated employees who understand and implement the program, and active leadership who maintains ownership over the risk management program.” (Touhill, 2014)
3.2.1 Natural Calamities: In the event of natural calamities that cause major damages to the Information System the POC shall be the CISO.
3.2.2 Power Outage: In the event of a power outage a diesel powered generator shall turn on within five seconds. These generators shall be tested monthly in order to prevent the diesel fuel from becoming unusable. The POC for the diesel powered generators for back-up power shall be the CISO.
3.3 Business Continuity Plan: The scope includes all design, development, coding, licensing, and hosting of Sua Sponte Consulting’s new monitoring services and information systems hardware/software needed. This portfolio will analyze all current contacts and determine target demographics for future and potential clients.
The following criteria must be met:
3.1.1 Physical security: Physical security shall include Closed Captioned Television (CCTV), dead bolt locks on doors, a security alarm system for the building, and a security patrol officer for the building and parking structure. The POC for physical security policy shall be the CISO.
3.1.2 Access control: Access control to the building and department sections shall be determined by access badges that must be worn at all times. The access badges will be coded to a scramble key pad that must be scanned and have the proper access code entered. To access user stations a Common Access Card (CAC) must be entered into a card reader and have the unique access code entered. The POC for access control policies shall be the CISO.
3.1.3 Website Data Security: Website Data Security shall be the responsibility of the CISO. The CISO shall be the POC for the Website Data Security policy.
3.1.4 Mobile and Cloud service: Mobile devices that are not provided by Sua Sponte Consulting shall not be permitted to connect to the information system. Sua Sponte Consulting shall back-up all data to an off-site Cloud service. The POC for the Mobile and Cloud service shall be the CISO.
3.1.5 Timely Integration of Information: For each interconnection between systems that are owned or operated by different organizations, the following information concerning the authorization for the connection to other systems or the sharing of information must be provided:
- Name of system
- Organization
- Type of interconnection (Internet, Dail-up, etc.)
- Authorizations for interconnection (MOU/MOA, ISA)
- Date of agreement
- FIPS 199 Category
- Certification and accreditation status of system
- Name and title of authorizing officials
3.1.6 System Development and Maintenance: The completion date of the system security plan shall be 31 December, 2018. The completion date shall be updated whenever the plan is annually reviewed and updated. When the system is updated, a version number shall be added. The system security plan shall also contain the date the authorizing official (CIO), or the designated approving authority (CISO) approved the plan. Approval documentation shall be on file as part of the plan.
The system security plan shall annually review any change in the system status, functionality, design, etc., and ensure that the plan continues to reflect the correct information about the system. This documentation and its correctness are critical for system certification activity. All plans shall be reviewed and updated annually. Some items to include in the review are:
- Change in information system owner
- Change in information system representative
- Change in system architecture
- Change in system status
- Additions/deletions of system interconnections
- Change in system scope
- Change in authorizing official
- Change in certification and accreditation status
3.2 Contingency Planning: A successful contingency program will have a well laid out contingency plan. “A Contingency Plan includes Data Backup, Disaster Recovery, Emergency Mode Operation, Testing and Revision Procedures, and Applications and Data Criticality Analysis.” (ONC, 2014) Using these steps in a training program that requires planned testing and planned exercises followed by review and an update plan will prepare the organization in the event of a disastrous loss of data and/or capabilities. “The best risk management programs have well-defined processes, well-trained and motivated employees who understand and implement the program, and active leadership who maintains ownership over the risk management program.” (Touhill, 2014)
3.2.1 Natural Calamities: In the event of natural calamities that cause major damages to the Information System the POC shall be the CISO.
3.2.2 Power Outage: In the event of a power outage a diesel powered generator shall turn on within five seconds. These generators shall be tested monthly in order to prevent the diesel fuel from becoming unusable. The POC for the diesel powered generators for back-up power shall be the CISO.
3.3 Business Continuity Plan: The scope includes all design, development, coding, licensing, and hosting of Sua Sponte Consulting’s new monitoring services and information systems hardware/software needed. This portfolio will analyze all current contacts and determine target demographics for future and potential clients.
The following criteria must be met:
- Monitoring services
- List of all types of hardware likely needed
- List of all types of software likely needed
- User-friendly environment that is easy to navigate
- Ability to migrate current information systems into new information system
- Information system can be changed/modified easily by Sua Sponte Consulting personnel with minimal effort
- All software and licensing requirements should be included as part of this project
- Information system should be compatible with all current technologies and easily upgradeable
- Ability to work closely with Sua Sponte Consulting IT Manager on coordination of project tasks and resources
- Plan and perform a complete testing process on information system and database in order to ensure functionality
4: Implementation Management
4.1 Proposed Timeline/Execution: Project initiation phase must be completed by December 31, 2020.
Project planning phase must be completed by March 15, 2019. Project planning phase will determine the timeline/schedule for the remaining phases of the project.
4.2 Budget: All proposals must include proposed costs to complete the tasks described in the project scope. Costs should be stated as one-time or non-recurring costs (NRC) or monthly recurring costs (MRC). Pricing should be listed for each of the following items in accordance with the format below:
Project Initiation and Planning NRC MRC
Market Research NRC MRC
Information system Develop NRC MRC
Information system Testing NRC MRC
Information system Deploy NRC MRC
Information system Hosting NRC MRC
NOTE: All costs and fees must be clearly described in each proposal.
Project planning phase must be completed by March 15, 2019. Project planning phase will determine the timeline/schedule for the remaining phases of the project.
4.2 Budget: All proposals must include proposed costs to complete the tasks described in the project scope. Costs should be stated as one-time or non-recurring costs (NRC) or monthly recurring costs (MRC). Pricing should be listed for each of the following items in accordance with the format below:
Project Initiation and Planning NRC MRC
Market Research NRC MRC
Information system Develop NRC MRC
Information system Testing NRC MRC
Information system Deploy NRC MRC
Information system Hosting NRC MRC
NOTE: All costs and fees must be clearly described in each proposal.
5: Risk Management
Risk Management is the process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment, cost-benefit analysis, the selection, implementation, and assessment of security controls, and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations. (Swanson, 2014) The POC for risk management shall be the CISO.
5.1 Risk Identification: To determine the inherent risk to the organization five categories were assessed: technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and external threats.
5.2 Risk Assessment: The inherent risk level was determined to be moderate for technologies and connection types, significant for delivery channels, minimal for online/mobile products and technology services, minimal for organizational characteristics, and significant for external threats. The overall inherent risk for the organization is minimal.
5.3 Analysis & Prioritization: The “normal” cyber security approaches to identify and assess vulnerabilities within the cyber infrastructure often are conducted in the form of best practices. These best practices are often developed through trial and error in mitigating vulnerabilities. Furthermore, “normal” cyber security approaches are beginning to implement a scientific method approach, and taking less of an artistic approach. The “normal” approach is often conducted with the intent of focusing efforts to testing known security controls, and then searching for unknown vulnerabilities.
The “hacker” cyber security approaches may often be similar in appearance, but differ in that hackers tend to take more of a creative approach to testing cyber infrastructure. This creativity is needed in order for black hat hackers to penetrate into a denied system to exploit the system. Additionally, hackers often look for the path of least resistance into a system. They will often choose to find alternative non-conventional approaches to solving problems, because of the necessity of having to avoid the “textbook” approaches taken by “normal” cyber security technicians.
5.4 Mitigation Planning, Implementation & Monitoring: Security controls shall be in place to mitigate vulnerabilities. Auditors shall conduct continuous monitoring to assess risk to the system. Security controls shall be implemented as required to mitigate future vulnerabilities. The CISO shall have approval authority for implementing security controls to mitigate vulnerabilities.
5.5 Risk Tracking: The auditors must always look at what controls are in place to mitigate risks, and evaluate the efficiency of those controls. (USD, 2016) This is what auditing the system is all about, recognizing the controls that have been in placed to mitigate specific risks and testing if they are in fact protecting the system from those risks. Once the auditors have verified the controls that are in place are doing what they are supposed to be doing an auditor is then going to test the system for other known vulnerabilities that are new or may have been overlooked in the past. Once they have their results the auditors will be required to determine whether or not the company wants to pay to update current controls, add new controls, or accepting the risk to the system by not emplacing any controls. What controls to focus on will be determined early on in the process and will be defined in the audit focus. Since the auditors have finite resources they will not be able to audit everything, rather they will focus the audit on specific controls in order to be the most productive and cost effective.
5.6 Classification of Risk: The system shall have a FIPS 199 impact level of low, moderate, or high in the security categorization depending on the criticality or sensitivity of the system and any major applications the general support system is supporting.
5.7 Business Driven Risk: Business management is always about financial profits. Cyber security management is about protecting the information that allows the business managers to make those profits. Although it appears at first look that business management and cyber security management are at odds with each other over making money and spending money, the reality is that they must work in concert with each other for the organization to reach its full monetary potential. The CIO shall be the approval authority for business driven risk.
5.1 Risk Identification: To determine the inherent risk to the organization five categories were assessed: technologies and connection types, delivery channels, online/mobile products and technology services, organizational characteristics, and external threats.
5.2 Risk Assessment: The inherent risk level was determined to be moderate for technologies and connection types, significant for delivery channels, minimal for online/mobile products and technology services, minimal for organizational characteristics, and significant for external threats. The overall inherent risk for the organization is minimal.
5.3 Analysis & Prioritization: The “normal” cyber security approaches to identify and assess vulnerabilities within the cyber infrastructure often are conducted in the form of best practices. These best practices are often developed through trial and error in mitigating vulnerabilities. Furthermore, “normal” cyber security approaches are beginning to implement a scientific method approach, and taking less of an artistic approach. The “normal” approach is often conducted with the intent of focusing efforts to testing known security controls, and then searching for unknown vulnerabilities.
The “hacker” cyber security approaches may often be similar in appearance, but differ in that hackers tend to take more of a creative approach to testing cyber infrastructure. This creativity is needed in order for black hat hackers to penetrate into a denied system to exploit the system. Additionally, hackers often look for the path of least resistance into a system. They will often choose to find alternative non-conventional approaches to solving problems, because of the necessity of having to avoid the “textbook” approaches taken by “normal” cyber security technicians.
5.4 Mitigation Planning, Implementation & Monitoring: Security controls shall be in place to mitigate vulnerabilities. Auditors shall conduct continuous monitoring to assess risk to the system. Security controls shall be implemented as required to mitigate future vulnerabilities. The CISO shall have approval authority for implementing security controls to mitigate vulnerabilities.
5.5 Risk Tracking: The auditors must always look at what controls are in place to mitigate risks, and evaluate the efficiency of those controls. (USD, 2016) This is what auditing the system is all about, recognizing the controls that have been in placed to mitigate specific risks and testing if they are in fact protecting the system from those risks. Once the auditors have verified the controls that are in place are doing what they are supposed to be doing an auditor is then going to test the system for other known vulnerabilities that are new or may have been overlooked in the past. Once they have their results the auditors will be required to determine whether or not the company wants to pay to update current controls, add new controls, or accepting the risk to the system by not emplacing any controls. What controls to focus on will be determined early on in the process and will be defined in the audit focus. Since the auditors have finite resources they will not be able to audit everything, rather they will focus the audit on specific controls in order to be the most productive and cost effective.
5.6 Classification of Risk: The system shall have a FIPS 199 impact level of low, moderate, or high in the security categorization depending on the criticality or sensitivity of the system and any major applications the general support system is supporting.
5.7 Business Driven Risk: Business management is always about financial profits. Cyber security management is about protecting the information that allows the business managers to make those profits. Although it appears at first look that business management and cyber security management are at odds with each other over making money and spending money, the reality is that they must work in concert with each other for the organization to reach its full monetary potential. The CIO shall be the approval authority for business driven risk.
6: Cost Management
The cost per Personal Computer (PC) over a three year period totals $1,736. The benefits per PC over the same three year period totals $4,113. This gives the organization a net benefit of $2,377 per PC over a three year period. This gives the organization a Return on Investment (ROI) of 137%. The total period of time that it will take for the organization to recoup the expenses of the three years of its investment in cyber security is 12 months.
6.1 Provide security infrastructure that reduces development costs: When factoring the initial costs of implementation four categories were considered: hardware, software, IT labor, services, & training, and end-user labor & training. For each of the four categories a one-time initial cost is assessed along with an annual on-going cost to maintain each category. The total one-time initial cost for all categories has been determined to be $1,245. The annual on-going cost for all four categories is $164. Over a three year period this adds up to the $1,736 cost per PC.
6.2 Reduce operational costs: The IT labor/services TCO savings is determined using five categories: PC management services, help desk (tech support), server & network management services, application development, and administrative & other. Each of these five categories show an annual on-going benefit per PC. The total monetary benefit for a one year period is $745 with a $2,235 monetary benefit over a three year period.
6.3 Reducing development costs: There are other direct cost savings according to the ROI: IT savings and business savings. The IT savings categories include software- clients, software- servers, hardware, IT services, power/electricity usage, and other IT costs. These benefits have a small one-time cost savings of $75 per PC with a $94 annual on-going cost savings per PC. The business savings has three separate categories to include: travel expenses, business services, and other business expenses. The business savings comes to a total of $50 over a three year period per PC. The total cost savings over a three year period is $406 per PC.
6.4 Cost of Security: The cost per Personal Computer (PC) over a three year period totals $1,736.
6.5 Planned costs: The benefits per PC over the same three year period totals $4,113. This gives the organization a net benefit of $2,377 per PC over a three year period. This gives the organization a Return on Investment (ROI) of 137%. The total period of time that it will take for the organization to recoup the expenses of the three years of its investment in cyber security is 12 months.
When factoring the initial costs of implementation four categories were considered: hardware, software, IT labor, services, & training, and end-user labor & training. For each of the four categories a one-time initial cost is assessed along with an annual on-going cost to maintain each category. The total one-time initial cost for all categories has been determined to be $1,245. The annual on-going cost for all four categories is $164. Over a three year period this adds up to the $1,736 cost per PC.
6.6 Potential costs: The Key Performance Indicator (KPI) is assessed using four categories: sales/marketing performance, business management effectiveness, supply/operations performance, and technology effectiveness. With the implementation of the cyber security program the first three categories will remain the same. However, the technology effectiveness category will see an increase of 27.1% over a three year period. This will result in an overall organizational improvement of 6.8% in organizational performance.
6.7 Comparative costs with industry: It is assessed that the initial investment will cost slightly less than the net benefits of the first year. Each subsequent year the net benefits will out weight the costs of maintaining the cyber program. The costs and benefits are only projected out to three years because of the speed at which technology advances. Every three years the cyber security programs technology will need to be reassessed to determine if another large initial investment will need to be made to replace outdated hardware and software.
6.1 Provide security infrastructure that reduces development costs: When factoring the initial costs of implementation four categories were considered: hardware, software, IT labor, services, & training, and end-user labor & training. For each of the four categories a one-time initial cost is assessed along with an annual on-going cost to maintain each category. The total one-time initial cost for all categories has been determined to be $1,245. The annual on-going cost for all four categories is $164. Over a three year period this adds up to the $1,736 cost per PC.
6.2 Reduce operational costs: The IT labor/services TCO savings is determined using five categories: PC management services, help desk (tech support), server & network management services, application development, and administrative & other. Each of these five categories show an annual on-going benefit per PC. The total monetary benefit for a one year period is $745 with a $2,235 monetary benefit over a three year period.
6.3 Reducing development costs: There are other direct cost savings according to the ROI: IT savings and business savings. The IT savings categories include software- clients, software- servers, hardware, IT services, power/electricity usage, and other IT costs. These benefits have a small one-time cost savings of $75 per PC with a $94 annual on-going cost savings per PC. The business savings has three separate categories to include: travel expenses, business services, and other business expenses. The business savings comes to a total of $50 over a three year period per PC. The total cost savings over a three year period is $406 per PC.
6.4 Cost of Security: The cost per Personal Computer (PC) over a three year period totals $1,736.
6.5 Planned costs: The benefits per PC over the same three year period totals $4,113. This gives the organization a net benefit of $2,377 per PC over a three year period. This gives the organization a Return on Investment (ROI) of 137%. The total period of time that it will take for the organization to recoup the expenses of the three years of its investment in cyber security is 12 months.
When factoring the initial costs of implementation four categories were considered: hardware, software, IT labor, services, & training, and end-user labor & training. For each of the four categories a one-time initial cost is assessed along with an annual on-going cost to maintain each category. The total one-time initial cost for all categories has been determined to be $1,245. The annual on-going cost for all four categories is $164. Over a three year period this adds up to the $1,736 cost per PC.
6.6 Potential costs: The Key Performance Indicator (KPI) is assessed using four categories: sales/marketing performance, business management effectiveness, supply/operations performance, and technology effectiveness. With the implementation of the cyber security program the first three categories will remain the same. However, the technology effectiveness category will see an increase of 27.1% over a three year period. This will result in an overall organizational improvement of 6.8% in organizational performance.
6.7 Comparative costs with industry: It is assessed that the initial investment will cost slightly less than the net benefits of the first year. Each subsequent year the net benefits will out weight the costs of maintaining the cyber program. The costs and benefits are only projected out to three years because of the speed at which technology advances. Every three years the cyber security programs technology will need to be reassessed to determine if another large initial investment will need to be made to replace outdated hardware and software.
7: Analysis & Recommendation Management
7.1 Key Elements: Finding the most well rounded cyber security staff for the organization must be done in a holistic manner. The employer must consider a potential employees educational background, work experience, special skills, and certifications. Rarely does an employee meet all of the requirements that an employer is looking for. Therefore, the employer must consider how well this person will fit into the organizations culture, and how well they are able to learn new technologies and techniques. If the person has the correct attitude of, “I will work hard and learn anything that I don’t know,” then they are starting off on the right foot. There will always be a certain amount of intelligence that is required to do cyber security, however a hard worker will always outperform someone that is knowledgeable and lazy.
Organizations should keep a hybrid model for their cyber security operations. An organization that adopts a hybrid model for cyber security operations will have a small in-house staff that contributes to cyber security operations as well as a robust managing staff to oversee the operations of not only the in-house staff but also the contractors. Using the hybrid model the organization will be able to save money on payroll by outsourcing the bulk of the cyber security operations to contractors. The hybrid model will also cut the cost of annual training and maintaining a professional IT staff.
7.2 Conclusion and Future Work: There are a few practical and obvious ways to ensure that personnel are following the “Spirit” of the NIST SP 800-18. First, require all personnel to read and sign the rules of behavior before they are allowed access to the organizations systems. This will ensure that personnel know and understand what behaviors are acceptable and which are not. Second, ensure that personnel receive training what safe computing in an office environment as well as at home. This training will further reinforce the expectations, rules, and requirements of what behavior is acceptable on the organizations information systems and what behaviors are deemed unacceptable. Last, I think that blocking access to non-essential content is a good step in the right direction to keep personnel from being tempted from abusing the organizations information systems. Examples of content that would be blocked include pornography, social media accounts, gaming sites, and video streaming sites. By blocking such sites from being accessed in the first place it will prevent personnel from access unacceptable content and breaking the rules of behavior.
The ISSP will require more than just an incident response plan. Some of these plans include a Disaster Recovery Plan (DRP), Information System Contingency Plan (ISCP), and a Continuity of Operations Plan (COOP). (Swanson, 2010) The DRP applies to major, usually physical, disasters. Examples include earthquakes, firestorms, floods, and hurricanes. The ISCP provides procedures for the assessment and recovery of a system following a system disruption. The COOP focusses its efforts to restoring mission essential functions at an alternate site and continuing to perform those functions for up to 30 days. (Swanson, 2010)
Having policies and plans in place will allow the organization to react in a timely and effective manner. The organization will have a greater ability to ensure the confidentiality, integrity, and availability of the organizations information as well as the customer’s information. Having these plans in place is also significant, because in the event that an incident occurs, the organizations employees will have a greater understanding of their expectations. People will be less likely to be running around like a chicken with their heads cut off.
Organizations should keep a hybrid model for their cyber security operations. An organization that adopts a hybrid model for cyber security operations will have a small in-house staff that contributes to cyber security operations as well as a robust managing staff to oversee the operations of not only the in-house staff but also the contractors. Using the hybrid model the organization will be able to save money on payroll by outsourcing the bulk of the cyber security operations to contractors. The hybrid model will also cut the cost of annual training and maintaining a professional IT staff.
7.2 Conclusion and Future Work: There are a few practical and obvious ways to ensure that personnel are following the “Spirit” of the NIST SP 800-18. First, require all personnel to read and sign the rules of behavior before they are allowed access to the organizations systems. This will ensure that personnel know and understand what behaviors are acceptable and which are not. Second, ensure that personnel receive training what safe computing in an office environment as well as at home. This training will further reinforce the expectations, rules, and requirements of what behavior is acceptable on the organizations information systems and what behaviors are deemed unacceptable. Last, I think that blocking access to non-essential content is a good step in the right direction to keep personnel from being tempted from abusing the organizations information systems. Examples of content that would be blocked include pornography, social media accounts, gaming sites, and video streaming sites. By blocking such sites from being accessed in the first place it will prevent personnel from access unacceptable content and breaking the rules of behavior.
The ISSP will require more than just an incident response plan. Some of these plans include a Disaster Recovery Plan (DRP), Information System Contingency Plan (ISCP), and a Continuity of Operations Plan (COOP). (Swanson, 2010) The DRP applies to major, usually physical, disasters. Examples include earthquakes, firestorms, floods, and hurricanes. The ISCP provides procedures for the assessment and recovery of a system following a system disruption. The COOP focusses its efforts to restoring mission essential functions at an alternate site and continuing to perform those functions for up to 30 days. (Swanson, 2010)
Having policies and plans in place will allow the organization to react in a timely and effective manner. The organization will have a greater ability to ensure the confidentiality, integrity, and availability of the organizations information as well as the customer’s information. Having these plans in place is also significant, because in the event that an incident occurs, the organizations employees will have a greater understanding of their expectations. People will be less likely to be running around like a chicken with their heads cut off.
8: Student Assessment of ISSP to Cyber Management
The most important thing for a leader to do in the event of a malicious attack on the system is to take extreme ownership of the event. To take extreme ownership of the event the leader must not look to blame subordinate staff for mistakes that have been made. The leader must not ignore or disregard to opinions or advice of peers and subordinates. The leader must listen to their peers and subordinates alike. Determine the issues and prioritize the tasks that need to be completed. A leader must take responsibility of their staff and ownership of the event and the resolution of the situation. When a leader shirks the ownership of the event it often means that they are shirking their responsibilities as a leader. It means that they were not doing their job as a leader to ensure that their technology and TTPs were up to date to defend against the latest threats. When a leader takes extreme ownership of any situation then they will not only receive the respect and confidence of their peers, but also their bosses and subordinates alike. Their bosses know that they will tell the truth and not look to blame others for their mistakes. Their peers and subordinates know that they will not throw others under the bus to advance their own careers. (Willink, 2017).