Professional Documents
Culture Documents
Ricardo Nevarez
July 9, 2018
Professor Decker
CyberNomad Technologies, Inc.
Table of Contents
Executive Summary…………….……………………………………………………pg 3
1: Company Summary………………………………………………….……………pg 4
1.1 Enterprise Architecture
2: Management………………………………………………………….……………pg 4
2.1 Roles and Responsibilities
2.2 Planning Management
2.3 Implementation Management
2.4 Risk Management
2.5 Human Resources Management
2.6 Cost Management
3: Planning Management……………………………………………….………….…pg 7
3.1 Information Security Implementation
3.1.1 Physical Security:
3.1.2 Access Control:
3.1.3 Website Data Security:
3.1.4 Mobile and Cloud Service:
3.1.5 Timely Integration of Information
3.1.6 Reliable Communication:
3.1.7 System Development and Maintenance:
3.2 Contingency Planning
3.2.1 Natural Calamities:
3.2.2 Power Outage:
3.3 Business Continuity Plan
4: Implementation Management…………………………………………………...…pg 11
4.1 Proposed Timeline/Execution
4.2 Budget
5: Risk Management……………………………………………………………….…pg 11
5.1 Risk Identification
5.2 Risk Assessment
5.3 Analysis & Prioritization
5.4 Mitigation Planning, Implementation & Monitoring
5.5 Risk Tracking
5.6 Classification of Risk
5.7 Data Driven Risk
5.8 Business Driven Risk
5.9 Even Driven Risk
6: Cost Management………………………………………………………………….pg 14
6.1 Provide Security Infrastructure That Reduces Development Costs
6.2 Reduce Operational Costs
6.3 Reducing Development Costs
6.4 Cost of Security
6.5 Planned Costs
6.6 Potential Costs
2|Page
CyberNomad Technologies, Inc.
Executive Summary
3|Page
CyberNomad Technologies, Inc.
The overall simple purpose of the Information Systems Security Plan (ISSP) is to provide this
organization a living document of our network infrastructure in regard to its cybersecurity current and
potential future platform. The key element and the overall spirit of the ISSP is to ensure our
organizations data Confidentiality, Integrity, and Availability with an approach that makes use of all
available disposable resources, makes financial sense and is cost effective without compromising the
risk remediation suggestions, and cost effective solutions for the overall network infrastructure.
4|Page
CyberNomad Technologies, Inc.
which provides managed services to small to medium size companies here in the USA and
overseas. We also provide security consulting, PCI Compliance, Incident Response Services and
Project Management. Our project management services provide cost effective solutions in regard
which we do keep on-site our virtual servers but with all backups kept offsite. This same
structure is applied to our backup solution of which the secondary and third backups are kept
offsite in the cloud. Our VoIP is cloud based, including our firewalls, and closed monitoring
system. Most of our software applications are maintained and managed in the cloud including
2: Management
When the organizations Director of Human Resources (HR) have a solid understanding
of the organization and a good eye to hire the right cybersecurity professionals, each individual
will know their role and responsibility to the people that work within the organization and its
vision and mission statement. According to the National Institute of Standards and Technology
(NIST) the following roles are to be included within a comprehensive cybersecurity team
Responsibilities: This position is very complex and is a C-Level executive position. The CIO is
accountable for the entire organizations cybersecurity program. Other responsibilities includes
5|Page
CyberNomad Technologies, Inc.
the development and maintenance of the organizations security policies, procedures, the
implementation and assessment of security controls and ensure the right trained personnel are in
place. This position also reports to the federal agency of the overall current status of the
organization.
Responsibilities: Maintains and manages the lifecycle of the Information Technology (IT)
Department. Ensures compliance is adhered to and responsible for the development, integration,
modification, operation, maintenance, and disposal of the organizations information system. This
position also manages who has access rights to the systems assets, and ensures these assets are
available.
Responsibilities: Establishes the rules with how the data is to be used. Also establishes policies
and procedures in regard to how the data is generated, collected, processed, stored and disposed.
This position also identifies, assesses and provides information in regard to what the security
requirements and security controls should be for the data. Like the CIO, grants access rights and
Role: Senior Agency Information Security Office (SAISO) – agency official serving as the CIO
primary cohort.
Responsibilities: Delivers the CIO’s responsibilities for the systems security planning and
Role: Information System Security Officer (ISSO) – on behalf of the ISO ensures the appropriate
6|Page
CyberNomad Technologies, Inc.
the security controls and assists with the development and upkeep of the systems security plan.
Role: Authorizing Official – this is a senior management position groomed to move into a
a role to operate the information system under strict terms and conditions and has the authority to
Planning, and Business Continuity Plan to resolve a cybersecurity breach. See section 3.
value data; Timely Detection and Quick Response to a cybersecurity event; Recruitment and
Retention of qualified personnel, and Efficient and Effective Acquisition and Deployment of
Existing and Emerging Technology (Donovan & Scott, 2015). See section 4.
2.4 Risk Management – Cybersecurity is ensuring that the appropriate risk management
2.5 Human Resource Management - There are two schools of thought with having the
right balance on the management level, the Behavioral and Contingency management theories
(USD, 2016). The Director of Human Resource of the Human Resource (HR) Department at
CyberNomad Technologies, Inc., will ensure proper training and continued maintenance of the
IT staff to encourage a strong IT Department. This will develop confident employees who should
seek out to harness each-others competencies. HR should also be there to promote competitive
benefits packages, perks, incentives, promotions and an open line of communication between
Managers and other Staff employees (Journal, 2017). At any time when an outside vendor is
7|Page
CyberNomad Technologies, Inc.
required for special projects, the HR Department will properly vet available sources with the
2.6 Cost Management – Cost is always on the mind of the Board of Directors in regard
to everything cybersecurity. The finite resources are applied to ensure the organizations data in
regard to its confidentiality, integrity, availability as it applies to the its vision and mission
implementation. Management planning will set the course for the project in regard to what are
going to be done (processes and procedures), how it’s going to be done (processes and
procedures), what available resources (human or otherwise) are available and a timeline.
effectively delivered. This will allow the network to be adaptable to cybersecurity threats in
3.1.1 Physical Security: This area of the organizations cybersecurity eco-system will
include closed-circuit T.V. at all entrances and exits including any and all server rooms and
wiring closets. Electrical panels, server rooms and wiring closets will be locked and will include
and will not be limited to open unused Ethernet ports, USB ports on local workstations including
the main buildings power breaker box. Other areas covered will include restricting physical
access of unauthorized users to the building, server rooms and other secure areas by using
physical access cards. In regard to perimeter physical security of the building intrusion alarms
are used.
8|Page
CyberNomad Technologies, Inc.
effectively prevent unauthorized access to many resources of which include the building itself
and all data. The key focus areas will include Privileges, Authentication and Audit Trails
including their respective logs. Scheduled review of these logs against the baseline logs will
determine out of the ordinary access to the data. As a guide this organization follows the
suggested Security Control Baselines available within SP 800-53r4 and uses the AC-1 Access
Control Policy and Procedures with the Control Baselines of Low, Moderate and High (Joint
Task Force, 2013) as applicable to our data. Access Control is also applicable to the roles and
responsibilities of those who interact with that data of which AC-1 will also apply.
3.1.3 Website Data Security: Our vendor hosts and supports our public website. Any
security is done from our vendor’s security team on their networks where our website is hosted.
Within our contract agreement, they are responsible for all aspects of securing our website. Any
and all hosting, maintenance and management of our website is done on our vendors networks
through well-known secure website browser protocols that also include encryption/ decryption,
Transport Layer Security (TLS), Secure Sockets Layer (SSL) and HTTPS.
3.1.4 Mobile and Cloud Service: The challenge with securing this vector has driven
our organization to verify and confirm that all mobile devices that our employees use for work
related duties of which can also include email, will have file folders encrypted, phone lock
enabled, and an antivirus installed with scheduled scans enabled. Currently, CyberNomad
Technologies does use the Microsoft Office 365 Cloud Service of which cybersecurity is
9|Page
CyberNomad Technologies, Inc.
additional security controls within our Office 365 platform. Their contract as with any other of
our vendors goes through a rigorous review from our Compliance Department.
employees rely having immediate access to data and information. This includes having reliable
communication to our data, applications and other servers that provide us the services required to
run our organization. Our security access controls respond in real-time and are constantly
with our employees in regard to the importance of keeping an open dialog amongst their
respective direct managers and supervisors. This enables quick notification of any suspicious
events within the network of which reduces mitigation time. We have learned that our company
is stronger when our departments do not work in silos but have open lines of reliable
3.1.7 System Development and Maintenance: Our computer networks are secure
where we have set up monthly roll-outs of Microsoft Windows Updates on our workstations and
virtual servers. We have scheduled inventory of our applications to ensure we are running current
versions including applying firmware updates where needed on our computer, and networked
appliances. In regard to any updates, these are always tested on a small test pool before
3.2 Contingency Planning The advantage of our organizations contingency planning is its
focus on the end result from currently implemented processes of which are designed for the short
10 | P a g e
CyberNomad Technologies, Inc.
and long term goals strategies. These management policies and procedures are in place to restore
technical operations when an unexpected event in the future occurs (Swanson, Bowen, Phillips,
Gallup, & Lynes, 2010). With business continuity at the forefront we have addressed the incident
response, disaster recovery and business continuity in the following sections. We have select the
optimal approach to minimize the financial negative impact and still meet CyberNomad
Technologies, Inc. vision and mission statement. In regard to suggested guidelines we reference
FIPS 199 for the potential impact and use the ratings of Low, Moderate and High (NIST, 2004).
contingency plan covers natural disasters and we have a disaster recovery plan in place that can
run independent of the event. This allows the damaged network to be rebuilt, minimize negative
financial impact and disrupting daily operations. This is assisted by having a backup system in
place that if both onsite and cloud based in case of a natural disaster.
3.2.2 Power Outage: In the event of complete power outage our building backup
generator is in line to support key critical aspects of our organization of which includes routers,
switches, VoIP phones, and workstations to key personnel that includes our CEO, COO, CIO,
3.3 Business Continuity Plan In the event when complete building power outage
occurs and the buildings backup generator fails, we have logistically implemented hot-site to
which we can roll-over to. Our cloud based backup is accessible within minutes as is our cloud
based VoIP service where our vendor simply is required to switch over to the hot-site. These
implementations are designed to minimize any negative impact as it can affect our daily business
11 | P a g e
CyberNomad Technologies, Inc.
data; Timely Detection and Quick Response to a cybersecurity event; Recruitment and Retention
of qualified personnel, and Efficient and Effective Acquisition and Deployment of Existing and
natural event the earlier proposed responses including our implemented incident response,
disaster recovery and business continuity will be executed to minimize any negative impact to
4.2 Budget – In regard to any additional requested budget outside of what has already
been allocated to our organizations cybersecurity, a request for additional budget funds
must be put forth to the CIO of which will be handed to the CIO for approval.
Justification for the request must be writing for the CEO’s approval. Once approved the
5: Risk Management It has been said that the best defense if a good offense. Looking ahead and
being prepared is critical with keeping CyberNomad Technologies, Inc. ready for a cyber
incident. It allows our network to be that more resilient. Whether we use quantitative or
qualitative risk analysis, there are five areas of which are covered in this area that help ensure we
continue to have a well-prepared cybersecurity environment. These area include to identify the
risk, work with management to bring them onboard, continue to have an open line of
communication with C-Level executive, continue to update our incident response and continue to
get the message of how important it is to have all employees onboard with securing the
12 | P a g e
CyberNomad Technologies, Inc.
5.1 Risk Identification Using our in-house software has allowed us to identify and label
our inherent potential risks. What this achieves is to provide us a big picture for us to assess
including the security controls and determine what the inherent risk(s) are at that time. Our risk
management practice is scheduled on a quarterly basis to keep current within this area. The areas
covered include and are limited to: Security Programs, Risk Management & Compliance,
Training, Personnel Security, Physical Security, Network Security, Logical Access and Business
Continuity Management.
5.2 Risk Assessment - Our Risk, Impact and Likelihood rating is based on Low, Medium and
High, where High requires immediate remediation. We use these labels on any and all identified
risks. We determine that risk exist in areas of Personnel Security in regard to proper procedures
not in place with creating user accounts to access our organizations data. We have identified that
all our systems are closely monitored. This also includes the maintenance and management in
5.3 Analysis & Prioritization – Any and all collected information is well documented
and assembled to be presented to the CISO and the CIO of our organization from which they will
base the decision with remediation, in what priority to remediate found risks and what resources
Inc. will create a Request For Proposal where needed to address risks that have been
deemed to require immediate attention by the CISO and the CIO. Any Medium to Low
risks will be remediated from in-house. Per our company vetting policy, we will vet at
least three potential outside vendors of which must meet all requirements as stated within
13 | P a g e
CyberNomad Technologies, Inc.
5.5 Risk Tracking – Project management of the risk remediation project will be
monitored and managed using in-house project management software. This will ensure the
project timeline stays on time, and cost can also be monitored and managed to the completion of
5.6 Classification of Risk – As mentioned earlier the Risk Analysis, the assessed risk is
labeled as Low, Medium and High where High require immediate risk mediation. Part of the
assessed risk is the Likelihood and the Impact the proposed identified risk may have to the area
being assessed. These too are labeled as Not Likely, Likely, Very Likely, and Low, Medium and
High respectively. The Security Classification of Risk is acquired from the information within
5.8 Business Driven Risk - Risk and control allows CyberNomad Technologies, Inc., to
continuously evaluate our data that it remains in compliance of which gives us the opportunity to
mitigate our organizations risks as it becomes apparent. By this approach it allows us to create
6: Cost Management
6.1 Provide security infrastructure that reduces development costs – The area from
which will make the most difference with moving our organization forward virtualization. This
14 | P a g e
CyberNomad Technologies, Inc.
technology replaces existing physical hardware of which includes servers, firewalls, including
our data backup solution. This improves our network performance, reliability, manageability and
application servers, DBMS servers, and including our high performance computing servers.
6.2 Reduce operational costs – This approach as discussed in section 6.1 reduces
monthly and yearly electrical power consumption, maintenance and management, and human
6.3 Reducing development costs – Financially, the virtualization within the many areas
within our network infrastructure will drastically minimize the ongoing yearly upkeep in regard
6.4 Cost of Security – It will always be difficult for our company to know just how much
in financial resources to set aside for the IT Department. If and when the cost of providing
security over the cost of data, this is when it becomes unreasonable to continue funding this area
of the organization. Referring back to section 6.1 will keeps us within bounds in regard to the
6.6 Potential costs – Unknown at the moment, yet if a cyber breach should occur we can
see potential costs in areas that include and are not limited to: compliance penalties, court fees,
loss of data, and reputation loss for the organization and in areas of cyber prevention.
6.7 Comparative costs with industry – The significant issues impacting business needs
and costs versus cyber prevention is very apparent in the light of an attack. Investing 5% of our
15 | P a g e
CyberNomad Technologies, Inc.
7.1 Key Elements – CyberNomad Technologies, Inc. has worked towards building a
strong network infrastructure of which includes maintenance and management from internal IT
resources, including those support resources from our outside vendors. These outside vendors of
which maintain and manage our cloud based email, Cloud VoIP and number of virtual servers.
This puts us in a competitive position to continue with projects that mitigate future cyber-attacks.
periodic review of all logs of which are included within the cloud email and virtual server
services. Logs will be reviewed for malware, viruses, including and not by any means limited to
7.2 Conclusion and Future Work – in regard to this body of work, this is a live
document of which is subject to change as time passes and the network infrastructure, its policies
Inc. is a position to identify said changes from which the employees can reference in regard to
security requirements, networks security controls including and not limited to roles and
responsibilities.
8: Student Assessment of ISSP to Cyber Management – The ISSP is a living document from
which reflects the continuous changes that occur within the network infrastructure. It provides
Cyber Management an overview the organizations Roles & Responsibilities including and not
limited to cybersecurity policies that are in place. This document is also a reference of existing
projects, and potential up and coming projects for the organization including costs. These
projects include the virtualization of selected hardware platforms as mentioned and the ongoing
maintenance and management of these projects once completed. The creation of this document
will provide what has been mention throughout this document and provide what is expected in
16 | P a g e
CyberNomad Technologies, Inc.
regard to securing the network. The success of this ISSP can be measured by every employee’s
References
Cooper, C. (2017, November 16). 5 Fundamentals in Cyber Risk Management. Retrieved July 8,
2018, from CSOOnline.com: https://www.csoonline.com/article/3235511/data-breach/5-
fundamentals-in-cyber-risk-management.html
Donovan, S., & Scott, T. (2015, October 30). Memorandum For Heads Of Executive
Departments And Agencies. Retrieved July 6, 2018, from Executive Office Of The
President Office Of Management And Budget: https://www.hsdl.org/?
abstract&did=788143
Drucker, P. F. (1986). Management Tasks, Responsibilites, Practices. New York, New York ,
USA: Truman Talley Books. Retrieved July 7, 2018
Joint Task Force. (2013, April). Security and Privacy Controls for Federal Information Systems
and Organizations. Retrieved July 7, 2018, from NIST:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
17 | P a g e
CyberNomad Technologies, Inc.
Journal, W. S. (2017). Hiring and Managing Employees. Retrieved June 25, 2018, from
WSJ.com: http://guides.wsj.com/small-business/hiring-and-managing-employees/how-to-
retain-employees/
Morley, L. (2015, February 5). How Much Should a Company Spend on IT? Retrieved June 19,
2018, from Techvera.com: https://techvera.com/company-it-spend/
NIST. (2004, February). Standards for Security Categroization of Federal Information and
Information Systems. Retrieved June 10, 2018, from NIST.gov:
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). Contingency
Planning Guide for Federal Information Systems. Retrieved June 10, 2018, from
NIST.gov: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final
USD. (2016, May). CSOL 550: Management and Cybersecurity - Lecture 1.1: Transcript. San
Diego, California, United States. Retrieved May 27, 2018, from
https://ole.sandiego.edu/bbcswebdav/pid-1198498-dt-content-rid-
3398962_1/courses/CSOL-550-MASTER/CSOL550_Lecture1.1_Transcript.pdf
18 | P a g e