Professional Documents
Culture Documents
Julian Bennett
Table of Contents
Company Summary………………………………………………….……………………3
Management .......................................................................................................................3
Planning ..............................................................................................................................6
Risk Management……………………………………………………………….…...........9
Recommendations to Management.……………………………………............................11
References…………………………………………………………………………...........13
3
Company Summary
Acme Corp. is a software development company that focuses on the holistic approach
to providing software solutions for its clients. Acme is dedicated to the development of
creative and innovative products and services, providing custom information solutions for its
strong client base. Services include tailored applications, web design, and e-commerce across
manufacturing. Acme Corp.’s information environment supports over 500 employees across
10 departments with internet and intranet access and collaboration portals, and twenty
software development and test networks simulating a variety of client industry types.
implementation, security, cost and risk management. The Acme Corp. Information System
Security Plan (ISSP) defines the information security standards and procedures for assuring
the confidentiality, integrity, and availability of all information systems under control of the
organization.
Management
As for any ISSP, specific individuals or groups are responsible for the management
and execution of all security initiatives. NIST Special Publication 800-18 addresses the key
roles and responsibilities of these groups or individuals that are critical in the development,
The Chief Information Officer, or CIO, “is the agency official responsible for
developing and maintaining an agency-wide information security program” that delegates the
authority for system security planning to the agency’s information security officer (Swanson,
4
Hash, & Bowen, 2006). Overall the CIO is to develop and maintain “information security
policies, procedures, and control techniques to address system security planning and manages
al., 2006). Due to the significant role, and therefore the authorization to delegate his duties, it
is the CIO’s duty to ensure all other significant roles for the security of the information
environment are properly trained to execute the responsibilities on behalf of the organization.
The Information System Owner plays a key role in the development of the ISSP. This
system owner is a direct link between the CIO and the enabling information system as it has
direct knowledge of the system and is “responsible for the overall procurement, development,
integration, modification, or operation and maintenance” (Swanson, et al., 2006). The system
owner is accountable for coordinating with all other stakeholders in the development and
Information Owner
The Information Owner (IO), has operational authority and control of the information
stored and processed by information systems. The billet is responsible for establishing
controls to properly safeguard and dispose of collected data. When developing the ISSP, the
IO contributes the establishment of appropriate rules for the “use and protection of the subject
data/information (rules of. behavior) and effective access and security controls specific to the
The Chief Information Security Officer (CISO), is commonly the “agency official
responsible for serving as the CIO’s primary liaison to the agency’s” stakeholders charged
5
with maintaining the information environment and planning and developing the ISSP
(Swanson et al., 2006). Oftentimes, the CIO delegates authority to the CISO to carry out
responsibilities for system security planning and accepts the plan after coordinating with
The Information System Security Officer (ISSO) is overall required to ensure that the
(Swanson et al., 2006). Typically, ISSOs assist senior stakeholders in the identification and
of the ISSP.
Authorizing Official
and legally assume the responsibility for the entire information environment at a level of risk
necessary to safely continue operations. Oftentimes the secondary role of the CIO or CISO,
the AO ultimately approves the ISSP and authorizes the operation of information systems in
the environment.
security staff, chaired by the CISO. The committee is responsible for recommending and
assisting in the coordination of company information security programs. The ISSC advises of
guidelines, standards, and industry best practices that would benefit the organization in
preserving the confidentiality, integrity and availability of Acme information systems. The
6
steering committee consists of CISO, system owners, information owners, the information
System Administrator
assigned systems into the Acme Corp. information environment. In terms of data security,
additional duties include ensuring assigned systems are their resources meet all information
security requirements, including continuous planning for business continuity in the event of
incident or disruption.
Planning
Extensive planning is required to implement a solid ISSP that addresses all security
controls based on the security categorization of Acme Corp.’s information systems. Not all
information processed by Acme systems is equal, with some data more critical to business
operations than others. As defined in NIST Special Publication (NIST SP) 800-53, Acme’s
information systems are categorized in moderate- and high-impact information systems that,
as a minimum, employ security controls from the moderate and high baseline of security
controls. The Acme systems supporting standard business operations, including storing and
processing corporate data, is categorized as a medium impact system while the separate
software development and test networks containing high risk proprietary source code are
storage of corporate data, email services, and collaboration services) require security controls
from the moderate baseline of security controls as defined in NIST SP 800-53. Acme Corp.’s
7
corporate data includes financial data, accounting data, human resource information as well as
vendor and client lists. Access control to these types of information is segmented and carried
out using the Brewer-Nash security model in order to preserve the integrity and
The information systems supporting the software development and test networks are
logically segregated from the standard network and require security controls from the high
systems are the core of Acme’s business model and therefore highly sensitive and mission
critical. Acme employees’ work roles determine physical access to systems and logical
permissions to view and manipulate data. These role-based permissions are granted to
developers and management with need-to-know only, while systems are under continuous
monitoring and logging. Technical controls are in place to encrypt proprietary data using local
key infrastructure.
Contingency Planning
The first and foundational step in the contingency planning process for an ISSP is the
Business Impact Analysis (BIA). This BIA is used to project Acme’s risk and consequences
strategies (“Ready.gov Business Impact Analysis”, n.d.). During the BIA, critical information
systems are aligned to MEFs in addition to detailed analysis of impact of system disruption
and respective downtimes. A key benefit to this process is a realistic picture of which
resources are required and how recovery priorities for these system resources are identified
(Swanson, Bowen, Phillips, Gallup, & Lynes, 2010). This fundamental contingency planning
8
step is arguably the most important as all follow-on planning actions depend on these BIA
results.
mitigating and resolving malicious and anomalous incidents within the Acme Corp.’s
information environment. It is important to note that an IRP is fully reactionary in nature and
is not designed to prevent incidents from occurring (McCready, n.d.). Key personnel must be
practices, Acme’s security policies and most importantly, the BIA. Response actions can
adversely impact information systems that are critical to Acme’s support to its clients, so
careful planning is imperative to strike a reasonable balance between risk mitigation and
continuity of operations.
Disaster Recovery Planning. Major system disruptions with long term effects to
business functions require a detailed Disaster Recovery Plan (DRP). They are designed to
restore information system operations at an alternate location unaffected by the original cause
of disaster, whether man-made or natural. Included in the plan are necessary steps taken
during and after the incident occurs with the intent to incur little to no service interruption
disruptions are most appropriately detailed in the Business Continuity Plan (BCP). According
to Swanson et al (2010), a BCP is a “business process focused plan”, addressing the need to
sustain core business functions while infrastructure is restored after significant disruption. Not
9
only does this plan decrease operational downtime but allows Acme to maintain a competitive
Risk Management
Acme Corp. shall manage risk by identifying, evaluating, controlling, monitoring, and
mitigating weaknesses that threaten information systems under its control. Risk can be
defined the likelihood of a threat event’s occurrence and its impact to the business should the
Figure 1. Generic Risk model with key risk factors. Extracted from NIST SP 800-39
This risk management is a continuous process with periodic risk assessments and control
implementation. Triggers to these changes are any significant modification in the information
process as defined in NIST Special Publication 800-39 “Guide for Conducting Risk
10
Assessments”. These processes include framing risk, assessing risk, responding to risk, and
Figure 2. Risk assessment within the risk management process. Extracted from NIST SP 800-
39
Acme will first contextualize the risk by framing the environment in which risk decisions are
made in order to produce the risk management strategy to address how it will assess, respond
to, and monitor risk. This risk management strategy institutes the baseline and defines
boundaries for risk-based decisions. Secondly, Acme shall assess risk within the risk framing
context to identify threats, vulnerabilities and the adverse impact exploited vulnerabilities will
present. The third component of this process addresses how Acme Corp. responds to a
determined risk. This is critical step in providing an even, company-wide risk response by
developing courses of action, both primary and secondary, consistent with the organization’s
risk tolerance and then implementing the selected response action. Acme must not overlook
the fourth and final component in the risk assessment cycle – risk monitoring. Information
11
environments change as much as the threat landscape. Therefore, it is essential to monitor the
effectiveness of risk responses and security controls throughout their use and verify that they
The continuous risk assessment cycle translates to Acme Corp. by performing risk
assessments on all new systems and on systems with approved, significant changes. Before
appropriate and reasonable measures must take place to address risks with identified
vulnerabilities. Monitoring will take place by conducting annual risk assessments on Acme
Corp. information systems and control measures will be implemented to fully remediate or
mitigate risk to an acceptable level. Third party software used in Acme’s environments will
be monitored for security alerts and bulletins and remediation will be coordinated with
providing vendor.
Recommendations to Management
The key elements described herein are minimum standards necessary for successful
implementation of a strong and secure information environment. The foundational, and likely
largest section of the ISSP is risk management as it lays the groundwork for any risk to the
company. All follow-on actions and decisions must be made within the context of all
occur, controls based on risk assessments change as well. Organized management is key to
implementing the ISSP. Clear roles and responsibilities must be established, so security
At the heart of the ISSP is extensive planning. As stated previously in this document,
not all information processed by Acme Corp. is equal, with some data more critical to the
12
business than others. Therefore, careful planning is required to properly assess the impact
security incidents would have on different types of data, properly categorize them, and
implement appropriate security controls for their classification level. A key element within the
planning phase for an ISSP is preparing for possible contingencies. Business continuity
planning, incident response planning and disaster recovery planning must be conducted in
order to ensure security incidents do not adversely affect Acme’s business model and services
to its clients. It is imperative that roles and responsibilities of the security team are clearly
defined for increased efficacy of the ISSP and the ISSP is regularly updated.
process efficacy while maintaining a secure standard. All security personnel must understand
the system security planning process as security is everyone’s responsibility and all have a
stake in the success of the process. A clear and concise ISSP enables executes, management
and IT personnel to see a clear picture on what their role is and where they must focus their
efforts. Organizations lacking an ISSP or do not maintain their existing ISSP are less likely to
effectively manage their risk to business. This results in lack of focus or consistency in IT
actions taken across the enterprise and can prove disastrous should security incidents occur
References
Brewer, D. F., & Nash, M. J. (1989). The chinese wall security policy. Security and privacy,
Joint Task Force Transformation Initiative. (2012). Guide for conducting risk assessments.
Joint Task Force Transformation Initiative. (2013). Security and privacy controls for federal
McCready, J. (n.d.). Contingency planning [PowerPoint slides]. CSOL 550 Management and
impact-analysis
Swanson, M., Bowen, P., Phillips, A.W., Gallup, D., & Lynes, D. (2010). Contingency
planning guide for federal information systems. NIST Special Publication 800-34
Revision 1.
Swanson, M., Hash, J., & Bowen, P. (2006). Guide for developing security plans for federal
https://smallbusiness.chron.com/use-business-continuity-plan-4525.html