1

Vison Quest Inc.

Raul J. Mendoza

Cyber Management

CSOL 550

December 1, 2016

Donald Biedermann Jr
 2

Table of Contents

Abstract………………………………………………………………………………pg 3

1: Company Summary………………………………………………….……………pg 4

2: Management………………………………………………………….……………pg 5

3: Planning Management……………………………………………….………….…pg 10

4: Implementation Management…………………………………………………...…pg 14

5: Risk Management……………………………………………………………….…pg 15

6: Cost Management………………………………………………………………….pg 16

7: Recommendation…………………………….…………………………………….pg 16

8: Student Assessment of ISSP alignment to Cyber Management ….………………pg 18

References:…………………………………………………………………………...pg 19
 3

Abstract

The purpose of this plan is to determine the best company strategy for planning, implementing,

managing, and allocating the appropriate cost needed to protect Vision Quest’s Inc. architecture and

critical information. In order to effectively identify the appropriate cost, we must understand the

company’s mission, current architecture, and support system that enables the company to generate

profit. Concurrently, we will conduct gap analysis to identify and make recommendations intended to

increase the security posture and identify where risks exist. Based on the recommendations of this plan,

if implemented, Vision Quest can expect an increased security posture enabling them to identify,

mitigate, report, and recover from any cyber-attack.

All essential employees identified within this plan will be expected to understand and implement the

system security plan as required. In addition, all employees will become familiar with this plan and the

security planning process. Employees responsible for implementing and managing Vision Quest

information systems must also participate in addressing the security controls needed to ensure the

company’s infrastructure remains secure according to industry best practices and standards. This

document will be reviewed annually for its applicability and relevance to the company’s environment.
 4

1: Company Summary

Vision Quest Inc. is a global leader in 3D rendering software and was established in 2005. Our

tools enable users to create innovative models and movies without the need to spend countless hours

and money on training. Our easy to use tools create a real-time environment that allows users to make

fast alterations as you go. Because our tools are compatible with all 3D design software programs, such

as Revit, SketchUp, and ArchiCAD, we can be implemented within any business environment seamlessly.

We offer flawless export of your 3D designs, made in all major CAD design software programs which

limits additional costs.

1.1 Enterprise Architecture

1.1.1 Firewalls

A firewall will provide added separation between the different business

units. Our ability to control access and resources within the Vision Quest

environment affords us the means to define what is authorized or

unauthorized.

1.1.2 Intrusion Detection System/Intrusion Prevention System (IDS/IPS)

By implementing an IDS/IPS solution we are able to monitor and prevent

known threats as they present themselves. It is important to understand

that these capabilities provide us visibility and prevention of intrusion, but

should not have the expectation of complete protection. These capabilities

are a part of the overall Defense-in-Depth and provide us additional layers

of protection designed to focus on known threats. The implementation of

our incident response plan will ensure we minimize data and financial

loss.
 5

1.1.2 Servers

Servers will provide authentication, auditing, and file sharing to users

within the company enterprise. The servers will be maintained by the

Cyber department to ensure the company implements the appropriate

controls in accordance with industry standards.

1.1.3 Workstations/Operating System

The company will have the ability to change which operating system is

required based on the needs of the person. Having the ability to offer a

dynamic environment increases the chances of innovation. In addition,

makes us enticing to industry leaders. We will offer multiple platforms

like, Windows OS and multiple Linux OS’s.

2: Management

2.1 Roles and Responsibilities

Chief Information Officer (CIO):

The CIO will have overall responsibility for the ISSP and its implementation. Their duties

are set forth as such:

 Develop and maintain all policies, procedures, and controls outlined within this

plan

 Designate the Chief Information Security Officer responsible for carrying out the

ISSP

 Manage the security planning process and the identification, implementation, and

assessment of all security controls

 6

 Ensures all key personnel are properly trained and support the ISSP as necessary

Chief Information Security Officer (CISO):

As the CISO, several responsibilities fall within the scope of this position.

Therefore, the expectation is that the individual has at least 10 years of experience,

Bachelor’s degree, and/or at least one or more higher level certifications (e.g. CISSP,

CISM, GIAC). His/Her responsibilities will range across cyber investigations, incident

response, data security, intrusion prevention and breach notification.

Helpdesk Manager:

The Helpdesk Manager has an essential role in the daily success of the company.

Typically, this person has 5-10 years of experience in a service desk environment and 2-4

years of management experience. This role oversees Tier 1 technicians, analysts, and

specialists providing technical support to the user community. Manage and provide

technical support including communications with clients, hardware, and software

diagnosis, and troubleshooting problems.

Network Engineer:

Network engineers are critical in the management and defense of a company’s

infrastructure. Their ability to understand and apply the necessary controls to

management network traffic and defend against unknown or malicious attempts can

decide the outcome of an incident. They should have at least 5-10 years of experience and

a solid understanding of Cisco internetworks, routing and switching and related

protocols, LAN/WAN, Security, firewalls, load balancers and wireless.

System Engineer:
 7

System engineers are expected to be experienced across numerous operating

systems and applications. Their ability to support the business environment and servers

provides the department essential services to ensure availability and access is provided to

the employees and customer. They should have 5-10 years of experience, Bachelor’s

degree, and 1-3 certifications.

Security Operations Center:

The cyber security analyst position is a critical role within the company that

provides real-time monitoring of the business environment. Their ability to defend,

identify, respond, report, and recover from incidents as they present themselves is key in

ensuring minimal impact is experienced. The cyber security analyst positions are

relatively the same except for the level that differentiates the amount of experience,

certifications, and education.

2.2 Planning Management

For the planning and development within this ISSP the following information is provided.

 System Name: Vision Quest 3D rendering enterprise

 System Categorization: N/A System does not support government operations

 System Owner:

o Name: George Costanza

o Title: CIO

o Agency: N/A

o Address: 1223 Apache Dr, Legacy, AZ, 21225

o Phone Number: (520) 857-6309

o Email Address: VisionQuestCIO@gmail.com

 8

 Other Designated Contacts:

o VisionQuestCISO@gmail.com

o VisionQuestISSM@gmail.com

 System Operational Status:

o Operational — the system is in production

 Information System Type:

o General support system

 General Description/Purpose:

o Vision Quest 3D rendering enterprise is comprised of a Windows 10

Client/Server environment that supports day to day administrative

functions of the business. In addition, hosts a virtual environment through

the use of VMWare to foster updates and future development of Vision

Quest’s 3D rendering software.

 System Environment:

o Enterprise environment:

 Windows 10, Linux

 Vision Quest 3D rendering software

 VMWare

 Microsoft Office suite

2.3 Implementation Management

Any change or new implementation to the Vision Quest enterprise shall be

reviewed prior to approval. If approved, a Project Manager will be identified to ensure

the following steps are performed throughout the entire implementation.

 9

o Initiation phase

o Definition phase

o Design phase

o Development phase

o Implementation phase

o Follow-up phase

2.4 Risk Management

Risk Management will be communicated and coordinated through the Risk

Management Committee. All oversight and governance will be key functions of the

committee to ensure auditing, compensation, and monitoring of the company is

performed. The committee will consist of non-management directors to promote a

nonbiased approach to determining management of the overall “material enterprise risk”.

(Cybersecurity for Exec pg89)

In addition, the committee will at a minimum ensure the following areas are

addressed.

 Ensure company Intellectual Property and Trade Secrets are protected

 Ensure proper measures are taken to mitigate risk when possible for all

storage, Internet access, USB connections, removable media, Data

Backups, Off-site storage, and Data feeds

 Ensure all technical (e.g. Vulnerability scans, remote access, Passwords)

and Human (e.g. Phishing, Insider threat, Inadvertent disclosure) risks

are addressed to ensure the appropriate policies and measures are

implemented and considered to minimize potential impact

 10

2.5 Human Resource Management

The HR department will coordinate all employee related issues. They will ensure

all policies and processes are communicated and followed. In addition, will ensure all

Vision Quest employees are trained and continuing development is tailored for each

employee. These functions can be accomplished through training programs, performance

evaluations, and Vision Quest’s rewards program.

2.6 Cost Management

When determining whether to invest in additional resources, it is important to

perform analysis that can justify the additional cost and Return on Investment (ROI). The

CIO and/or CISO will provide the board with the analysis to aid in the decision making

process. Upon determination of the investment, the project manager assigned will follow

the implementation management process to ensure budget and cost are followed.

3: Planning

3.1 Information Security Implementation

3.1.1 Physical security:

Physical security will be implemented through the execution of technical,

physical, and administrative controls. These controls will enable our company to apply

multiple levels of protection and ensure the appropriate measures are taken to alleviate

unauthorized access. Defense of critical information and infrastructure is at the forefront

of this plan. We will take all the necessary measures to ensure we are protecting our

business units and information from unauthorized access. Due to the nature of

development that will be occurring within the Vision Quest enterprise, it is important to

apply all three aspects of physical security.

 11

 Technical Controls

 Badge readers and key pads

 Badge Access Control Database

 Encryption

 Interior Boundaries

 Physical Controls

 Closed-Circuit Surveillance Cameras

 Motion or Thermal Alarm System

 Security Guards

 Picture ID's

 Administrative Controls

 Policy, Procedures, and Standards

 Training and Awareness

 Disaster preparedness and recovery plans

3.1.2 Access control:

 Closed-Circuit Surveillance Cameras (CCTV) - Cameras will be placed

throughout the perimeter and specified access points where controlled

 12

access is required. It will be maintained and monitored by the security

department and security guards on duty. The primary purpose of CCTV is

threefold; preventative access control, deterrent access control, and

detective access control. All three enable the company to enforce

monitoring and access to the company during and after normal working

hours.

 Motion or Thermal Alarm System - After normal working hours the

building will be armed by a motion/thermal alarm system and monitored

by security guards. Security will respond to any alarm and coordinate with

local law enforcement for any potential compromise. Guards will notify

the security department for any issues or concerns regarding the incident

or false alarm.

 Security Guards - Guards will be posted at the main entry point to the

building. They will verify badges, process visitors, and maintain

awareness of potential unauthorized access via CCTV. They are vital in

providing the necessary access control and deterrence of those considering

gaining unauthorized access. They will monitor and respond to any alarm

and coordinate with local law enforcement to ensure every incident is

responded to.

 Picture ID's - Badges will have a picture of the individual and clearly

identifiable to ensure the appropriate access is associated to the person on

the badge.
 13

3.1.3 Website Data Security:

Vision Quest Inc. has decided to outsource Web and cloud service and security to

Digital Guardian. The appropriate Statement of Work outlines the expectation and quality

of service necessary to meet the company’s needs. The following are some of the services

provided.

 Provides continuous monitoring and visibility for all data interactions

with web and cloud storage applications

 Provides granular file movement control based on browser and OS events

involving web applications such as SharePoint, Dropbox, and Gmail

 Automatically classifies data extracted from web applications

 Delivers forensic event logs for more effective alerting, reporting, and

policy creation

 Automatically encrypts sensitive data prior to egress

3.1.4 Mobile and Cloud service:

This service was mentioned in the previous section.

3.1.5 System Development and Maintenance:

3.2 Contingency Planning

3.2.1 Natural Calamities:

Will be outlined in the BCDR plan

 14

3.2.2 Power Outage:

Will be outlined in the BCDR plan

3.3 Business Continuity Plan

Determining the level of resources required to protect critical information and

infrastructure will always be a struggle for executives. Our ability to balance and

prioritize which information loss is more acceptable than others may not be the optimal

answer, but by creating a contingency plan we can identify ways to recover from loss

quickly and efficiently. Business Continuity and Disaster Recovery (BCDR) are easy

ways to determine what is priority for the business and how best to recover from a

catastrophe. Business continuity helps us focus on how to continue business with

minimal down time.

We will address the following areas within BCDR Plan: (SANS, 2002, p. 1)

 Critical Application Assessment

 Back-up procedures

 Recovery Procedures

 Implementation Procedures

 Test Procedures

 Plan Maintenance

4: Implementation Management
 15

4.1 Proposed Timeline/Execution

4.2 Budget

5: Risk Management

5.1 Risk Identification:

Vision Quest Inc. Risk Management process incorporates risk identification early

and continuously identifies events that potentially have negative impacts on the projects

ability to achieve optimal performance. It is understood that impacts may come from

within the project or from external sources.

5.2 Risk Assessment:

When assessing risk, it is important to understand the different types that can

impact a project (e.g. program risks, investment decisions, and operational costs).

Aligning the identification to the type of assessment helps support the decision-making

process and is how the Vision Quest determines its risk.

5.3 Analysis & Prioritization

Analysis and review of the following areas aids us in the assessment and impact

different risk may have to the company. Based on the analysis, each risk is given a

number (Critical, 1 – 5 Least) to identify its level of importance and potential impact.

 Operational Risk

 Technical maturity

 Non-Developmental Items

 Key Performance Parameters (KPPs)

 Information security

5.4 Mitigation Planning, Implementation & Monitoring

 16

If a risk is identified as “critical high” or “critical Medium”, the Risk

Management Committee will be notified and begin the review process to determine the

appropriate level of response required to plan and implement the necessary measures.

5.5 Risk Tracking

If a risk is categorized as “critical low”, the risk management committee will be

notified, but only to ensure proper monitoring of the risk is performed. In the event of a

change, the committee may determine whether to elevate the level and implement

measures to mitigate the risk.

5.6 Classification of Risk

Critical - High

Critical – Medium

Critical - Low

6: Cost Management

6.1 Reduce operational costs:

Management will review all operational costs associated to projects on a quarterly

basis. If determined that the ROI does not outweigh the project cost, the project will be

terminated, unless operational impact and risk to the company is increased substantially.

7: Analysis & Recommendation Management

7.1 Key Elements

 17

The key elements of success outlined within this ISSP are essential to ensuring

Vision Quest Inc. successfully protects its critical information. In order to facilitate the

proper implementation, we must continue to perform the following tasks:

 Review the ISSP on an annual basis for relevance, content, and

applicability

 Determine if the all processes and policies are current and understood by

management and employees

 Ensure continuous monitoring of risk to the company is performed and

the Risk Management committee ensures the proper controls are

implemented seamlessly

7.2 Conclusion and Future Work

The balance in achieving both optimal security and business practices is not without

compromise and the ability to understand the challenges we face. Our ability to effectively

communicate and link risk, priority, and financial impact helps bridge the knowledge and

language gap between IT professionals and executive management. Corporate goals help us

understand the company intent and mission. Cyber security should not be viewed as a road

block, but something that also supports the achievement of the company goals. In conclusion,

our ability to implement security solutions in support of corporate goals must ensure we protect

the customer, shareholders, and profit.

8: Student Assessment of ISSP to Cyber Management

Defining and identifying key roles and responsibilities within a company is one that

hinges upon leaderships ability to understand how cyber supports the company mission. Risk
 18

management, Cost, ROI, Business Continuity, and the incorporation of these elements within the

ISSP helps communicate the necessary areas of focus to posture the company’s security for a

contested environment. By defining the needs of the company, we can then determine the level

of support required to ensure the business can operate in the manner intended. By specifying the

different requirements within the ISSP, we are then able to set expectations and differentiate

between individuals while filling the roles with the right experience levels to support the

company.

References:

Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives A Practical Guide. [Adobe

Digital Editions]. Retrieved from http://it-ebooks.directory/book-1118888146.html

McAfee. (2015). McAfee Host Intrusion Prevention for Desktop. Retrieved from

http://www.mcafee.com/us/resources/data-sheets/ds-host-intrusion-for-desktop.pdf

SANS Institute InfoSec Reading Room. (2015). Insider threat mitigation guidance. Retrieved
 19

from https://www.sans.org/reading-room/whitepapers/monitoring/insider-threat-

mitigation-guidance-36307