Running head: CyberNomad Technologies, Inc.

CyberNomad Technologies, Inc.

Ricardo Nevarez

Information Systems Security Plan

CSOL 550 – Management and Cybersecurity

July 9, 2018

Professor Decker
CyberNomad Technologies, Inc.

Table of Contents

Executive Summary…………….……………………………………………………pg 3
1: Company Summary………………………………………………….……………pg 4
1.1 Enterprise Architecture
2: Management………………………………………………………….……………pg 4
2.1 Roles and Responsibilities
2.2 Planning Management
2.3 Implementation Management
2.4 Risk Management
2.5 Human Resources Management
2.6 Cost Management
3: Planning Management……………………………………………….………….…pg 7
3.1 Information Security Implementation
3.1.1 Physical Security:
3.1.2 Access Control:
3.1.3 Website Data Security:
3.1.4 Mobile and Cloud Service:
3.1.5 Timely Integration of Information
3.1.6 Reliable Communication:
3.1.7 System Development and Maintenance:
3.2 Contingency Planning
3.2.1 Natural Calamities:
3.2.2 Power Outage:
3.3 Business Continuity Plan
4: Implementation Management…………………………………………………...…pg 11
4.1 Proposed Timeline/Execution
4.2 Budget
5: Risk Management……………………………………………………………….…pg 11
5.1 Risk Identification
5.2 Risk Assessment
5.3 Analysis & Prioritization
5.4 Mitigation Planning, Implementation & Monitoring
5.5 Risk Tracking
5.6 Classification of Risk
5.7 Data Driven Risk
5.8 Business Driven Risk
5.9 Even Driven Risk
6: Cost Management………………………………………………………………….pg 14
6.1 Provide Security Infrastructure That Reduces Development Costs
6.2 Reduce Operational Costs
6.3 Reducing Development Costs
6.4 Cost of Security
6.5 Planned Costs
6.6 Potential Costs

2|Page
CyberNomad Technologies, Inc.

6.7 Comparative Costs with Industry

7: Analysis & Recommendation……………………….…………………………………….pg 15
7.1 Key Elements
7.2 Conclusion and Future Work
8: Student Assessment of ISSP alignment to Cyber Management ….…………….…………pg 16
References:…………………………………………………………………………………....pg 17

Executive Summary

3|Page
CyberNomad Technologies, Inc.

The overall simple purpose of the Information Systems Security Plan (ISSP) is to provide this

organization a living document of our network infrastructure in regard to its cybersecurity current and

potential future platform. The key element and the overall spirit of the ISSP is to ensure our

organizations data Confidentiality, Integrity, and Availability with an approach that makes use of all

available disposable resources, makes financial sense and is cost effective without compromising the

security posture. It provides a summarization of roles & responsibilities, cybersecurity implementation,

risk remediation suggestions, and cost effective solutions for the overall network infrastructure.

4|Page
CyberNomad Technologies, Inc.

1: Company Summary – CyberNomad Technologies, Inc. is a cybersecurity organization of

which provides managed services to small to medium size companies here in the USA and

overseas. We also provide security consulting, PCI Compliance, Incident Response Services and

Project Management. Our project management services provide cost effective solutions in regard

to upgrading organizations to secure cloud solutions.

1.1 Enterprise Architecture – Our current network architecture is a hybrid solution of

which we do keep on-site our virtual servers but with all backups kept offsite. This same

structure is applied to our backup solution of which the secondary and third backups are kept

offsite in the cloud. Our VoIP is cloud based, including our firewalls, and closed monitoring

system. Most of our software applications are maintained and managed in the cloud including

our email on the Microsoft Office 365 platform.

2: Management

2.1 Roles and Responsibilities

When the organizations Director of Human Resources (HR) have a solid understanding

of the organization and a good eye to hire the right cybersecurity professionals, each individual

will know their role and responsibility to the people that work within the organization and its

vision and mission statement. According to the National Institute of Standards and Technology

(NIST) the following roles are to be included within a comprehensive cybersecurity team

(Swanson, Hash, & Bowen, 2006).

These Roles and Responsibilities are as follows:

Role: Chief Information Officer (CIO)

Responsibilities: This position is very complex and is a C-Level executive position. The CIO is

accountable for the entire organizations cybersecurity program. Other responsibilities includes
5|Page
CyberNomad Technologies, Inc.

the development and maintenance of the organizations security policies, procedures, the

implementation and assessment of security controls and ensure the right trained personnel are in

place. This position also reports to the federal agency of the overall current status of the

organization.

Role: Information System Owner (ISO)

Responsibilities: Maintains and manages the lifecycle of the Information Technology (IT)

Department. Ensures compliance is adhered to and responsible for the development, integration,

modification, operation, maintenance, and disposal of the organizations information system. This

position also manages who has access rights to the systems assets, and ensures these assets are

available.

Role: Information Owner (IO)

Responsibilities: Establishes the rules with how the data is to be used. Also establishes policies

and procedures in regard to how the data is generated, collected, processed, stored and disposed.

This position also identifies, assesses and provides information in regard to what the security

requirements and security controls should be for the data. Like the CIO, grants access rights and

permissions to the data. .

Role: Senior Agency Information Security Office (SAISO) – agency official serving as the CIO

primary cohort.

Responsibilities: Delivers the CIO’s responsibilities for the systems security planning and

assembles the identification, implementation and assessment of the security controls.

Role: Information System Security Officer (ISSO) – on behalf of the ISO ensures the appropriate

operational security attitude is maintained.

6|Page
CyberNomad Technologies, Inc.

Responsibilities: Assists senior officers in the identification, implementation, and assessment of

the security controls and assists with the development and upkeep of the systems security plan.

Role: Authorizing Official – this is a senior management position groomed to move into a

operational type role.

Responsibilities: – Approves cybersecurity plans, authorizes operations, may authorize others in

a role to operate the information system under strict terms and conditions and has the authority to

deny access to the information system when a legitimate cybersecurity exists.

2.2 Planning Management - The Information Security Implementation, Contingency

Planning, and Business Continuity Plan to resolve a cybersecurity breach. See section 3.

2.3 Implementation Management – Prioritized Identification and Protection of high

value data; Timely Detection and Quick Response to a cybersecurity event; Recruitment and

Retention of qualified personnel, and Efficient and Effective Acquisition and Deployment of

Existing and Emerging Technology (Donovan & Scott, 2015). See section 4.

2.4 Risk Management – Cybersecurity is ensuring that the appropriate risk management

is applied to the organizations data. See section 5.

2.5 Human Resource Management - There are two schools of thought with having the

right balance on the management level, the Behavioral and Contingency management theories

(USD, 2016). The Director of Human Resource of the Human Resource (HR) Department at

CyberNomad Technologies, Inc., will ensure proper training and continued maintenance of the

IT staff to encourage a strong IT Department. This will develop confident employees who should

seek out to harness each-others competencies. HR should also be there to promote competitive

benefits packages, perks, incentives, promotions and an open line of communication between

Managers and other Staff employees (Journal, 2017). At any time when an outside vendor is

7|Page
CyberNomad Technologies, Inc.

required for special projects, the HR Department will properly vet available sources with the

same due diligence as if it was hiring an internal employee.

2.6 Cost Management – Cost is always on the mind of the Board of Directors in regard

to everything cybersecurity. The finite resources are applied to ensure the organizations data in

regard to its confidentiality, integrity, availability as it applies to the its vision and mission

statement. See Section 6.

3: Planning Management – Careful planning should always support a successful

implementation. Management planning will set the course for the project in regard to what are

going to be done (processes and procedures), how it’s going to be done (processes and

procedures), what available resources (human or otherwise) are available and a timeline.

3.1 Information Security Implementation – An important part of maintaining

and managing the organizations network is ensuring the cybersecurity implementation is

effectively delivered. This will allow the network to be adaptable to cybersecurity threats in

regard to detection, minimizing the threat and a timely recovery.

3.1.1 Physical Security: This area of the organizations cybersecurity eco-system will

include closed-circuit T.V. at all entrances and exits including any and all server rooms and

wiring closets. Electrical panels, server rooms and wiring closets will be locked and will include

and will not be limited to open unused Ethernet ports, USB ports on local workstations including

the main buildings power breaker box. Other areas covered will include restricting physical

access of unauthorized users to the building, server rooms and other secure areas by using

physical access cards. In regard to perimeter physical security of the building intrusion alarms

are used.

8|Page
CyberNomad Technologies, Inc.

3.1.2 Access Control: Another layer of this organizations cybersecurity will

effectively prevent unauthorized access to many resources of which include the building itself

and all data. The key focus areas will include Privileges, Authentication and Audit Trails

including their respective logs. Scheduled review of these logs against the baseline logs will

determine out of the ordinary access to the data. As a guide this organization follows the

suggested Security Control Baselines available within SP 800-53r4 and uses the AC-1 Access

Control Policy and Procedures with the Control Baselines of Low, Moderate and High (Joint

Task Force, 2013) as applicable to our data. Access Control is also applicable to the roles and

responsibilities of those who interact with that data of which AC-1 will also apply.

3.1.3 Website Data Security: Our vendor hosts and supports our public website. Any

security is done from our vendor’s security team on their networks where our website is hosted.

Within our contract agreement, they are responsible for all aspects of securing our website. Any

and all hosting, maintenance and management of our website is done on our vendors networks

through well-known secure website browser protocols that also include encryption/ decryption,

Transport Layer Security (TLS), Secure Sockets Layer (SSL) and HTTPS.

3.1.4 Mobile and Cloud Service: The challenge with securing this vector has driven

our organization to verify and confirm that all mobile devices that our employees use for work

related duties of which can also include email, will have file folders encrypted, phone lock

enabled, and an antivirus installed with scheduled scans enabled. Currently, CyberNomad

Technologies does use the Microsoft Office 365 Cloud Service of which cybersecurity is

maintained by Microsoft. Their cybersecurity professionals assist when we require adding

9|Page
CyberNomad Technologies, Inc.

additional security controls within our Office 365 platform. Their contract as with any other of

our vendors goes through a rigorous review from our Compliance Department.

3.1.5 Timely Integration of Information: As a cybersecurity organization our

employees rely having immediate access to data and information. This includes having reliable

communication to our data, applications and other servers that provide us the services required to

run our organization. Our security access controls respond in real-time and are constantly

monitored in regard to response time to triggered events (Drucker, 1986).

3.1.6 Reliable Communication: Our organization has scheduled quarterly meetings

with our employees in regard to the importance of keeping an open dialog amongst their

respective direct managers and supervisors. This enables quick notification of any suspicious

events within the network of which reduces mitigation time. We have learned that our company

is stronger when our departments do not work in silos but have open lines of reliable

communication with each other.

3.1.7 System Development and Maintenance: Our computer networks are secure

where we have set up monthly roll-outs of Microsoft Windows Updates on our workstations and

virtual servers. We have scheduled inventory of our applications to ensure we are running current

versions including applying firmware updates where needed on our computer, and networked

appliances. In regard to any updates, these are always tested on a small test pool before

deployment onto the entire organizations network.

3.2 Contingency Planning The advantage of our organizations contingency planning is its

focus on the end result from currently implemented processes of which are designed for the short

10 | P a g e
CyberNomad Technologies, Inc.

and long term goals strategies. These management policies and procedures are in place to restore

technical operations when an unexpected event in the future occurs (Swanson, Bowen, Phillips,

Gallup, & Lynes, 2010). With business continuity at the forefront we have addressed the incident

response, disaster recovery and business continuity in the following sections. We have select the

optimal approach to minimize the financial negative impact and still meet CyberNomad

Technologies, Inc. vision and mission statement. In regard to suggested guidelines we reference

FIPS 199 for the potential impact and use the ratings of Low, Moderate and High (NIST, 2004).

3.2.1 Natural Calamities: Referring to NIST 800-34r1, our implemented

contingency plan covers natural disasters and we have a disaster recovery plan in place that can

run independent of the event. This allows the damaged network to be rebuilt, minimize negative

financial impact and disrupting daily operations. This is assisted by having a backup system in

place that if both onsite and cloud based in case of a natural disaster.

3.2.2 Power Outage: In the event of complete power outage our building backup

generator is in line to support key critical aspects of our organization of which includes routers,

switches, VoIP phones, and workstations to key personnel that includes our CEO, COO, CIO,

Directors and department managers.

3.3 Business Continuity Plan In the event when complete building power outage

occurs and the buildings backup generator fails, we have logistically implemented hot-site to

which we can roll-over to. Our cloud based backup is accessible within minutes as is our cloud

based VoIP service where our vendor simply is required to switch over to the hot-site. These

implementations are designed to minimize any negative impact as it can affect our daily business

with our customers.

11 | P a g e
CyberNomad Technologies, Inc.

4: Implementation Management Prioritized Identification and Protection of high value

data; Timely Detection and Quick Response to a cybersecurity event; Recruitment and Retention

of qualified personnel, and Efficient and Effective Acquisition and Deployment of Existing and

Emerging Technology (Donovan & Scott, 2015).

4.1 Proposed Timeline/Execution In regard to the severity of a cybersecurity breach or

natural event the earlier proposed responses including our implemented incident response,

disaster recovery and business continuity will be executed to minimize any negative impact to

our organization from a negative event.

4.2 Budget – In regard to any additional requested budget outside of what has already

been allocated to our organizations cybersecurity, a request for additional budget funds

must be put forth to the CIO of which will be handed to the CIO for approval.

Justification for the request must be writing for the CEO’s approval. Once approved the

request is then forwarded to the Director of Finance to allocate the funds.

5: Risk Management It has been said that the best defense if a good offense. Looking ahead and

being prepared is critical with keeping CyberNomad Technologies, Inc. ready for a cyber

incident. It allows our network to be that more resilient. Whether we use quantitative or

qualitative risk analysis, there are five areas of which are covered in this area that help ensure we

continue to have a well-prepared cybersecurity environment. These area include to identify the

risk, work with management to bring them onboard, continue to have an open line of

communication with C-Level executive, continue to update our incident response and continue to

get the message of how important it is to have all employees onboard with securing the

organizations network (Cooper, 2017).

12 | P a g e
CyberNomad Technologies, Inc.

5.1 Risk Identification Using our in-house software has allowed us to identify and label

our inherent potential risks. What this achieves is to provide us a big picture for us to assess

including the security controls and determine what the inherent risk(s) are at that time. Our risk

management practice is scheduled on a quarterly basis to keep current within this area. The areas

covered include and are limited to: Security Programs, Risk Management & Compliance,

Training, Personnel Security, Physical Security, Network Security, Logical Access and Business

Continuity Management.

5.2 Risk Assessment - Our Risk, Impact and Likelihood rating is based on Low, Medium and

High, where High requires immediate remediation. We use these labels on any and all identified

risks. We determine that risk exist in areas of Personnel Security in regard to proper procedures

not in place with creating user accounts to access our organizations data. We have identified that

all our systems are closely monitored. This also includes the maintenance and management in

this area within our local workstations and server access.

5.3 Analysis & Prioritization – Any and all collected information is well documented

and assembled to be presented to the CISO and the CIO of our organization from which they will

base the decision with remediation, in what priority to remediate found risks and what resources

are available for said remediation.

5.4 Mitigation Planning, Implementation & Monitoring – CyberNomad Technologies,

Inc. will create a Request For Proposal where needed to address risks that have been

deemed to require immediate attention by the CISO and the CIO. Any Medium to Low

risks will be remediated from in-house. Per our company vetting policy, we will vet at

least three potential outside vendors of which must meet all requirements as stated within

the Request For Proposal.

13 | P a g e
CyberNomad Technologies, Inc.

5.5 Risk Tracking – Project management of the risk remediation project will be

monitored and managed using in-house project management software. This will ensure the

project timeline stays on time, and cost can also be monitored and managed to the completion of

the cyber risk remediation project.

5.6 Classification of Risk – As mentioned earlier the Risk Analysis, the assessed risk is

labeled as Low, Medium and High where High require immediate risk mediation. Part of the

assessed risk is the Likelihood and the Impact the proposed identified risk may have to the area

being assessed. These too are labeled as Not Likely, Likely, Very Likely, and Low, Medium and

High respectively. The Security Classification of Risk is acquired from the information within

FIPS PUB 199 (NIST, 2004).

5.7 Data Driven Risk

5.8 Business Driven Risk - Risk and control allows CyberNomad Technologies, Inc., to

continuously evaluate our data that it remains in compliance of which gives us the opportunity to

mitigate our organizations risks as it becomes apparent. By this approach it allows us to create

new opportunities as it relates back to this document.

6: Cost Management

6.1 Provide security infrastructure that reduces development costs – The area from

which will make the most difference with moving our organization forward virtualization. This

14 | P a g e
CyberNomad Technologies, Inc.

technology replaces existing physical hardware of which includes servers, firewalls, including

our data backup solution. This improves our network performance, reliability, manageability and

security. Virtualization also is a cost effective solution as it is applicable to our webservers,

application servers, DBMS servers, and including our high performance computing servers.

6.2 Reduce operational costs – This approach as discussed in section 6.1 reduces

monthly and yearly electrical power consumption, maintenance and management, and human

resources as they apply to any physical network appliance.

6.3 Reducing development costs – Financially, the virtualization within the many areas

within our network infrastructure will drastically minimize the ongoing yearly upkeep in regard

to any end-of-life appliances and software.

6.4 Cost of Security – It will always be difficult for our company to know just how much

in financial resources to set aside for the IT Department. If and when the cost of providing

security over the cost of data, this is when it becomes unreasonable to continue funding this area

of the organization. Referring back to section 6.1 will keeps us within bounds in regard to the

costs & benefits in any area of security.

6.6 Potential costs – Unknown at the moment, yet if a cyber breach should occur we can

see potential costs in areas that include and are not limited to: compliance penalties, court fees,

loss of data, and reputation loss for the organization and in areas of cyber prevention.

6.7 Comparative costs with industry – The significant issues impacting business needs

and costs versus cyber prevention is very apparent in the light of an attack. Investing 5% of our

revenue is recommended and justified (Morley, 2015).

7: Analysis & Recommendation Management

15 | P a g e
CyberNomad Technologies, Inc.

7.1 Key Elements – CyberNomad Technologies, Inc. has worked towards building a

strong network infrastructure of which includes maintenance and management from internal IT

resources, including those support resources from our outside vendors. These outside vendors of

which maintain and manage our cloud based email, Cloud VoIP and number of virtual servers.

This puts us in a competitive position to continue with projects that mitigate future cyber-attacks.

In regard to recommendation management, it is strongly suggested to continue with scheduled

periodic review of all logs of which are included within the cloud email and virtual server

services. Logs will be reviewed for malware, viruses, including and not by any means limited to

network bandwidth usage.

7.2 Conclusion and Future Work – in regard to this body of work, this is a live

document of which is subject to change as time passes and the network infrastructure, its policies

and procedures change. By continuously updating this document CyberNomad Technologies,

Inc. is a position to identify said changes from which the employees can reference in regard to

security requirements, networks security controls including and not limited to roles and

responsibilities.

8: Student Assessment of ISSP to Cyber Management – The ISSP is a living document from

which reflects the continuous changes that occur within the network infrastructure. It provides

Cyber Management an overview the organizations Roles & Responsibilities including and not

limited to cybersecurity policies that are in place. This document is also a reference of existing

projects, and potential up and coming projects for the organization including costs. These

projects include the virtualization of selected hardware platforms as mentioned and the ongoing

maintenance and management of these projects once completed. The creation of this document

will provide what has been mention throughout this document and provide what is expected in

16 | P a g e
CyberNomad Technologies, Inc.

regard to securing the network. The success of this ISSP can be measured by every employee’s

participation in regard to protecting the CyberNomad Technologies, Inc. network infrastructure.

References
Cooper, C. (2017, November 16). 5 Fundamentals in Cyber Risk Management. Retrieved July 8,
2018, from CSOOnline.com: https://www.csoonline.com/article/3235511/data-breach/5-
fundamentals-in-cyber-risk-management.html

Division, C. S. (2004, February 2004). Standards for Security Categorization of Federal

Information and Information Systems. Retrieved July 8, 2018, from NIST:
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Donovan, S., & Scott, T. (2015, October 30). Memorandum For Heads Of Executive
Departments And Agencies. Retrieved July 6, 2018, from Executive Office Of The
President Office Of Management And Budget: https://www.hsdl.org/?
abstract&did=788143

Drucker, P. F. (1986). Management Tasks, Responsibilites, Practices. New York, New York ,
USA: Truman Talley Books. Retrieved July 7, 2018

Joint Task Force. (2013, April). Security and Privacy Controls for Federal Information Systems
and Organizations. Retrieved July 7, 2018, from NIST:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

17 | P a g e
CyberNomad Technologies, Inc.

Journal, W. S. (2017). Hiring and Managing Employees. Retrieved June 25, 2018, from
WSJ.com: http://guides.wsj.com/small-business/hiring-and-managing-employees/how-to-
retain-employees/

Morley, L. (2015, February 5). How Much Should a Company Spend on IT? Retrieved June 19,
2018, from Techvera.com: https://techvera.com/company-it-spend/

NIST. (2004, February). Standards for Security Categroization of Federal Information and
Information Systems. Retrieved June 10, 2018, from NIST.gov:
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). Contingency
Planning Guide for Federal Information Systems. Retrieved June 10, 2018, from
NIST.gov: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

USD. (2016, May). CSOL 550: Management and Cybersecurity - Lecture 1.1: Transcript. San
Diego, California, United States. Retrieved May 27, 2018, from
https://ole.sandiego.edu/bbcswebdav/pid-1198498-dt-content-rid-
3398962_1/courses/CSOL-550-MASTER/CSOL550_Lecture1.1_Transcript.pdf

18 | P a g e