Information Systems Security Plan

CSOL550 Management and Cyber Security

Professor Donald Biedermann Jr
University of San Diego

Marc Leeka

Module 7 Assignment

December 5, 2016
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

Table of Contents, Tables and Figures

Executive Summary ........................................................................................................................ ii

Company Summary .........................................................................................................................1

Enterprise Architecture .............................................................................................................1
Roles ................................................................................................................................................1
Chief Information Security Officer ..........................................................................................1
Security Manager ......................................................................................................................2
Security Administrator/Analyst ................................................................................................2
Security Officer ........................................................................................................................2
Security Technician ..................................................................................................................2
The ISSP Committee ................................................................................................................2
Responsibilities ................................................................................................................................3
Planning ...........................................................................................................................................4
Risk Management ............................................................................................................................5
Risk Identification ....................................................................................................................5
Risk Assessment .......................................................................................................................6
Risk Analysis and Prioritization ...............................................................................................7
Risk Monitoring ........................................................................................................................7
Contingency Planning ...............................................................................................................7
Implementation Timeline .................................................................................................................8
Supplemental Budgeting ..................................................................................................................8
Authorization ...................................................................................................................................9
Student Assessment of ISSP to Cyber Management .......................................................................9

Table 1: Information Security Functions .........................................................................................3

Form 1: Hardware and Software Asset Inventory ...........................................................................4
Form 2: Information Asset Inventory ..............................................................................................6
Form 3: Implementation Timeline ...................................................................................................8
Form 4: Supplemental Budget Request ...........................................................................................9
References ......................................................................................................................................10
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

Executive Summary

The objective of system security planning is to improve protection of information system resources. All
information systems have some level of sensitivity and require protection as part of good management
practice. The protection of a system must be documented in an information system security plan.

The purpose of an information system security plan (ISSP) is a formal process to provide an overview of
the security requirements of the system and describe the controls in place or planned for meeting those
requirements. The system security plan also delineates responsibilities and expected behavior of all
individuals who oversee the system. The system security plan should be viewed as documentation of the
structured process of planning adequate, cost-effective security protection for a system. It should reflect
input from various managers with responsibilities concerning the system, including information owners,
the system owner, and the Chief Information Security Officer.

This brief paper lays out the process to create an ISSP for a fictitious software company but the procedure
and templates could be used for almost any company. Depending on the size of the organization, some
sections may be omitted. If the organization possesses unique information assets, it will be necessary to
add sections that address the specific risk management, control and prioritization of those assets.

Because an ISSP is a living document, it has an expiration date with the expectation that the review and
reassessment of all information assets will be a continuous process. The expiration date can be repeatedly
renewed based on future review and the institution of new and more effective controls.

ii
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

1. Company Summary

Soft-Technical Software is a software development company headquartered in California. The company

develops, customizes and integrates complex enterprise-level solutions with a specialty in advanced web-
hosted applications. Founded recently in 2011 with 8 employees, the company has consistently doubled
its staff annually and now employs 140 full time workers.

The companys Chief Technology Officer was a founder. Soft-Technical recently hired a Chief
Information Security Officer who reports to the CEO and board. The companys IT Manager reports to
the Chief Operations Officer.

1.1 Enterprise Architecture

Soft-Technical has one Microsoft computer network that joins 140 computers to data stored on three
servers. Depending on which department the user is assigned, they have access to development
applications, accounting information or human resources information. The network is firewalled.
Employees are allowed to connect their personal cellphones and laptops wirelessly to the DMZ internet
but there is no wireless access to the network. The company provides remote customer support using a
commercial internet-connected product. Employees working at customer sites can connect to the Soft-
Technical network using Microsoft Remote Desktop. Soft-Technical does not host the web-based
applications developed by the company.

2.1 Roles

Information security is most effective when it is formalized, written and the participating parties agree to
their responsibility to ensure the security of assets. If the necessary tasks to ensure the information safety
are not specified and the effort is voluntary, the tasks are not prioritized in the organization. The
importance of information security is then relegated well behind the other time-consuming business
objectives such as increasing profits, lowering costs and rushing new products and services to market.
Because worker performance is generally evaluated with these other factors and not with information
security, there is a tendency for information security to be compromised in favor of other objectives.
Workers must be explicitly instructed how to act in ways that maintains information security. Some of the
most effective ways to accomplish this are through specific words appearing in job descriptions and
organizational unit mission statements. Even in those rare and progressive organizations where worker
performance evaluations include consideration of information security, there is still a need to be clear
about just what workers should be doing. When management is clear about roles and responsibilities, the
proper balance between security and competing objectives will also be much easier to strike.

Roles and responsibilities documentation also states the importance of information security and the
consequences of failing to prioritize safety and to exercise safe habits. Roles also help define disciplinary
actions up to and including termination. These intermediate disciplinary actions include denial of pay
raises, denial of bonuses, denial of promotions, denial of transfers to other organizational units, denial of
special training, and forced time off without pay. Besides providing a reference point for the worker
performance review process, clearly documented roles and responsibilities show what people should be
doing, how they should be doing it, and when they should be doing it. 1

1
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

2.1.1 Chief Information Security Officer

The CISO is the top information security officer at Soft-Technical responsible for the assessment,
management and implementation of the organizations information security program. The CISO provides
organization information security oversight with specific competencies in information security practices.
The CISO also manages the office of information security personnel. Additionally the CISO: 2
manages the identification, implementation, and assessment of common security controls;
ensures that personnel with significant responsibilities for system security plans are trained;
assists senior management with their responsibilities for system security plans; and
is assigned as the Information System Owner.

2.1.2 Security Manager

The security manager is responsible for the day-to-day operation of the information security program. The
Security manager is responsible for policy development, risk assessment, contingency planning, and
operational and tactical planning for the security function.

2.1.3 Security Administrator/Analyst

The security administrator is responsible for the day-to-day operations and management of security
technology, as well as providing assistance in the development and conduct of training, programs and
policy. Additionally the security administrator analyzes and designs security solutions for specific
domains (firewall, IDS, antivirus).

2.1.4 Security Officer

The security officer creates and institute measures to safeguard sensitive information within a computer
network. He/she researches, develops, implements, tests and reviews the companys information security
in order to protect information and prevent unauthorized access. The security officer informs users about
security measures, explains potential threats, installs software, implements security measures and
monitors the network. He/she defines, creates and maintains the documentation for certification and
accreditation of each information system. He/she also assesses the impact resulting from system
modifications and technological advances. The security officer has the responsibility to deny
authorization to operate (or, if the system is already operational, halts operations) if unacceptable security
risks exist.

2.1.5 Security Technician

The security technician is responsible for the day-to-day configuration and management of IDPs, security
software and firewalls.

2.1.6 The ISSP Committee

Organizations that effectively engage all employees to be responsible for information security have
published policies that are created by an organization-wide committee representing many stakeholder
interests. Similar to a policy committee, the ISSP can be written, revised and implemented by a
committee with organization-wide representation. Most of the ISSP components will require a technical
understanding of the companys information assets, but identification of those assets and implementation
of the plan will be enhanced by the inclusion of employees outside of the IT and information security
department.

2
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

2.2 Responsibilities

Certain basic information security functions should be present in any organization. It doesnt matter that
the functions are all organized under the information security department; all that is important is that the
functions are performed at some place in the organization.3

Most of the assignments will be to information security roles. A small or mid-sized organization may not
have personnel specifically hired for every role title, therefore some assignments may go to other
departments (for example, training may be assigned to human resources).

Function Description Assigned to

Risk Assessment Identifies and evaluates risk present in IT initiatives and/or systems
Risk Implements or oversees use of controls to reduce risk
Management
Systems Testing Evaluates patches used to close software vulnerabilities and
acceptance testing of new systems to assure compliance with policy
and effectiveness
Policy Maintains and promotes information security policy across the
organization
Legal Maintains awareness of planned and actual laws and their impact,
Assessment and coordinates with outside legal counsel and law enforcement
agencies
Incident Handles the initial response to potential incidents, manages
Response escalation of actual incidents, and coordinates the earliest responses
to incidents and disasters
Planning Researches, creates, maintains and promotes information security
plans; often takes a project management approach to planning as
contrasted with strategic planning for the whole organization
Measurement Uses existing control systems and specialized data collection
systems to measure all aspects of the information security
environment
Compliance Verifies that system and network administrators repair identified
vulnerabilities promptly and correctly
Centralized Manages the granting and revocation of network and system
Authentication credentials for all members of the organization
Systems Security Administers the configuration of computer systems, which are often
Administration organized into groups by the operating system they run
Training Trains general staff in information security topics, trains the IT staff in
specialized technical controls, and trains the internal information
security staff in specialized areas of information security, including
both technical and managerial topics
Network Security Administers configuration of computer networks, often organized into
Administration groups by logical area or geographic location
Vulnerability Locates exposure within information assets so these vulnerabilities
Assessment can be repaired before weaknesses are exploited
Table 1: modified from Whitman pp. 167-168

3
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

3 Planning

The ISSP will commence with an inventory of the hardware and software assets of the company.
Hardware can include computers, servers, firewalls, routers, switches, storage drives and other
components found at the business. Software includes the most common commercially-available
applications such as Microsoft Windows, Microsoft Office Suite and an antivirus software. All custom
applications must be included in the inventory. In most small and mid-sized organizations, the
information technology department will be assigned to inventory hardware and software because they are
most familiar with its location and configuration.

The hardware and software assets will be inventoried using this form:

Ownership assigned a unique system identifier for future identification, who owns it, and
identifies who has responsibility over the system in case the system fails to perform or this
individual assessment must be modified to address a new threat or system change.
System name
Owner and contact information
Other designated contacts and contact
information
Assignment of Security Responsibility
and contact information
Categorization based on the potential impact on an organization should certain events occur
which jeopardize the information and information systems needed by the organization to
accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its
day-to-day functions and protect individuals. Security categories are used in conjunction with
vulnerability and threat information in assessing the risk to an organization.
Security categorization Low Moderate High
System Description Purpose and interdependent connections to other systems (if those
systems were to fail, the threat could rollover to another system, or visa-versa)
Function or purpose of the system and
the information processes
Indicate if the system type is a major
application or a general support system
Technical system environment,
including primary hardware, software
and communications equipment
System interconnections/information
sharing
Current operational status operational under development Pending modification
Controls specific control baseline and governing policies (including meeting legal or regulatory
requirements, such as HIPAA or state and federal disclosure of employee information)
Minimum security controls baseline Low Moderate High
Governing laws/regulations/policies for
this control
Description of how all the minimum
security controls in the applicable
baseline are implemented or planned

4
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

to be implemented
Authorizations
Authorizing official, title, and contact
information
Revision version and date
Information System Security Plan
Approval date
Expiration
Form 1: Hardware and Software Asset Inventory

4 Risk Management

Information owners are employees who have been assigned responsibility for the proper management and
handling of a particular type of information on behalf of the company. Owners do not legally own the
information in question; they instead make decisions on behalf of the company, which legally owns the
information. An owner may delegate activities to another entity but an owner's responsibilities may not be
delegated. If an owner has not been officially assigned, the creator of the information will perform as an
interim owner.

Owners must understand how the information they are charged with overseeing is used inside and outside
of the organization. They must also understand the potential liabilities associated with the information,
including unauthorized disclosure, modification or deletion, plus the financial and legal consequences that
could be incurred. For this reason, owners are most often managers in charge of departments that use or
otherwise manage the information in question. Owners are responsible for approving all requests for
access to the information for which they are the designated owner.

4.1 Risk Identification

Owners are responsible for classifying the company's information assets based on sensitivity and
criticality. Typical designations on a sensitivity scale are public, internal, confidential and restricted.
Criticality can be defined based on the number of hours, days, or weeks that may elapse before its
unavailability affects business operations.

The information assets (data) will be inventoried using this form. Subsequently the information will be
analyzed by the committee and the information assets will be ranked in order of importance.

Data Description How is the data information used?

Function or general purpose of the
data
Is this data shared with personnel in No Yes, other dept is ______________________
another department?
How often is this information Current and actively used
accessed? Historical and occasionally referenced
Archival and rarely referenced
Data Sensitivity would the inadvertent disclosure of this information jeopardize the company in

5
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

any way? Choose the most appropriate designation.

Security categorization Public. This information is readily available from other
sources and on the internet. Ex: job announcements,
previously publicly-released financial reports.
Internal. This information is exclusive to the company but
should not be disclosed. Ex: internal telephone directory,
contracts, business partner financial agreements.
Sensitive. Disclosure would cause great embarrassment to
the company and fines. Ex: salaries, credit card numbers.
Restricted. Disclosure would result in legal action and
financial penalties. Ex: employee social security number.
Time Sensitivity how would the unavailability of this information affect your ability to complete
your responsibilities?
How often must you use this I use this information once every hour
information to perform important job day
functions that cannot be postponed? three days
week
two weeks
Submitted by:
Employee
Department
Date
Authorizations (to be completed by the Security Committee)
Minimum security controls Low Moderate High
If special designation, explain why:
Security control(s)
How will the security control be
implemented?
Scoping guidance application:
Is this a common control? Yes No
Officer responsible for implementation:
Authorizing Officer approval
Form 2: Information Asset Inventory

Security controls in the security control catalog (NIST SP 800-53, Appendix F) have a well-defined
organization and structure. The security controls are organized into classes and families for ease of use in
the control selection and specification process. There are three general classes of security controls (i.e.,
management, operational, and technical). Each family contains security controls related to the security
function of the family. A standardized, two-character identifier is assigned to uniquely identify each
control family.

4.2 Risk Assessment

Cybersecurity is risk management. A component of that process is for organizations to identify assets,
assign a valuation to each asset, and make an estimation of the likelihood vulnerability may occur. By

6
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

knowing the value of information and the systems that ensure its flow, the organization can make rational
decisions about how much it should spend to protect its information.

4.3 Risk Analysis and Prioritization

Rather than calculate a quantitative valuation, it may be easier for most organizations to make a
qualitative risk assessment. Detailed calculations to assign a number value to assets and potential losses
are not used in this method, therefore a security guidance committee is more likely to come to unanimity
quicker. Obtaining answers to these questions can quickly guide the committee to rank and prioritize its
recommendations.
Which information asset is the most critical to the success of the organization?
Which information asset generates the most revenue?
Which information asset generates the highest profitability?
Which information asset is the most expensive to replace?
Which information asset is the most expensive to protect?
Which information assets loss or compromise would be the most embarrassing or cause the greatest
liability?

4.3 Risk Monitoring

Information systems security planning is an on-going process that is revised when the organization
changes its mission, new laws and regulatory mandates are made, or systems undergo major revision.
Contingency planning is an on-going process that is revised when the organization changes its mission,
new threats are identified, disruptions occur to challenge and test the previously made plans, or new or
more cost-effective technologies emerge to strengthen the planning.

Information assets have control baselines that are recorded into the device inventory. It is the
responsibility of the organization to continuously monitor for any deviation in security controls. The
organization may find it less expensive to engage outsource services to perform a thorough test of its
security controls.

4.4 Contingency Planning

Contingency planning is planning and preparation for the unwanted. Contingency planning involves
preparing for, detecting and reacting to unexpected events with minimum cost and disruption by
establishing plans, procedures and technical measures to recover all or part of compromised information
systems.4

Contingency planning consists of three planning components that reflect time elements related to the
business operation in the event of disruption. Contingency planning first identifies business processes and
the impact a system disruption would have and its estimated downtime. Downtime is the duration that
critical system resources are unavailable in an outage, and every organization has different maximum
downtime it can accept or tolerate before there is an unacceptable impact on the business mission or other
system resources. The three contingency planning elements are:
Incident response planning (the immediate response plan to an interruption);
Disaster recover planning (restoring operations at the primary site after disasters occur); and
Business continuity planning (establishment of operations at an alternate site).

7
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

The committee will review the information asset inventory and create a viable contingency plans for the
organization. Planning will identify natural (earthquakes, floods, power disruption) and man-made
scenarios (cyberattack, employee attack, disturbed employee with weapons).

5 Implementation Timeline

In this proposal, the ISSP has been deconstructed into smaller milestones. The ISSP committee will
review the subcomponents and agree to an overall program timeline.

Implementation Timeline Committee agrees to these milestone dates:

ISSP initial committee selection
Appointment of additional resources to
ISSP committee
Assignment to security roles
Distribution of hardware, software and
information asset inventory forms
Collection of hardware, software and
information asset inventory forms
Analysis of hardware, software and
information asset inventory forms
Hardware and software control
baselines established and approved
Information asset risk controls
established and approved
Contingency planning
ISSP re-review and revision; plan of
action to correct deficient controls
Submission to upper management for
supplemental implementation funding
ISSP completion date
ISSP approval date
ISSP authorization date
Form 3: Implementation Timeline

6 Supplemental Budgeting

Implementation of an ISSP may identify information assets that are not protected or those that have
insufficient security controls, in the judgement of the oversight committee. The converse could also
occur, where some assets are over-protected when the committee compares the value of the asset and its
risk against the expense for its security.

Additional net funding for the organizations security program will require approval from upper
management. The committee will detail the cost, description and justification in its request for additional
funding.

8
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

Supplemental Funding Requirement Cost and Description

Additional hardware
Additional software
Additional personnel
Outsource personnel
Other
Form 4: Supplemental Budget Request
7 Authorization

A senior management official (a role assigned in the prior Roles section) must authorize a system to
operate. The authorization of a system to process information, granted by a management official (the
Security Officer in some organizations, the CEO in very small organizations), means the authorizing role
formally accepts the risk associated to the information assets identified in the plan. It means that, in
granting authorization, the authorizing role has reviewed the management, operational, and technical
controls of the information assets.

Authorization has an expiration date by which the security plan must be reviewed, revised and renewed.
Re-authorization should occur at least once every three years or earlier if there is a significant change in
the system architecture, a significant change in important processes, or if new, significant threats are
discovered.

Information System Security Plan Completion Date: _________________________

Information System Security Plan Approval Date: _________________________

Information System Security Plan Authorized By: _________________________

8 Student Assessment of ISSP to Cyber Management

The implementation of an Information System Security Plan will initially yield:

a current and accurate inventory of all device assets, a record of how each device is secured, laws or
regulations that govern the information held by the devices, and a categorization of the risk the item
presents to the organization;
a current and accurate inventory of all information assets and a formal evaluation of how that
information is important to the mission of the organization;
a recovery strategy that prioritizes the most critical items to restore after a disaster;
broad consensus throughout the organization on what information is important and the resources
devoted to protecting its safety;
increased organization-wide security awareness;
a measureable gauge of security process baseline effectiveness; and
a manageable process to improve information security and awareness in the future.

Ultimately these improvements will effectively protect and reduce risk to the organizations information
assets. Upon implementation, Soft-Technical can confidently:
ensure the security and confidentiality of our employees and customers information;

9
CSOL 550 Management and Cyber Security Final Assignment Marc Leeka

protect against anticipated threats or hazards to the security or integrity of our employees and
customers information, and the information that ensures our business success;
protect against unauthorized access to or use of employee or customer information that could result in
substantial harm or inconvenience to either, deviation from Soft-Technicals mission and subsequent
harm to Soft-Technicals reputation;
ensure the organization is compliant with all applicable laws and regulations that protect employee
and customer information;
gain cost savings as a result of security review and optimization so as to more effectively balance
security measures to the risk posed by the information asset; and
increase the companys long-term viability by investing all employees into a security posture.

References

Structure and instructions taken from NIST publication:

Swanson, M., & Guttman, B. (1996, September). NIST SP 800-14: Accepted Principles and Practices for
Securing Information Technology Systems. Retrieved October 24, 2016, from
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
1
Wood, C. C. (2001). Information security roles & responsibilities made easy: Job descriptions, mission
statements, and reporting relationships (1st ed.). Houston, Texas: Pentasafe Security Technologies.
2
Mikoluk, K. (2014, June 5). Chief Information Officer Job Description. Retrieved November 27, 2016,
from https://blog.udemy.com/chief-information-officer-job-description/
3
Whitman, M. E., & Mattord, H. J. (2004). Management of information security (3rd ed.). Boston, MA:
Thomson Course Technology.
4
Swanson, M., Hash, J., & Bowen, P. (2006, February). Guide for Developing Security Plans for Federal
Information Systems. Retrieved November 1, 2016, from
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

10