1

Information Systems Security Plan

Julian Bennett

University of San Diego

 2

Table of Contents

Company Summary………………………………………………….……………………3

Management .......................................................................................................................3

Planning ..............................................................................................................................6

Risk Management……………………………………………………………….…...........9

Recommendations to Management.……………………………………............................11

Assessment of ISSP alignment to Cyber Management ….……………….........................12

References…………………………………………………………………………...........13
 3

Company Summary

Acme Corp. is a software development company that focuses on the holistic approach

to providing software solutions for its clients. Acme is dedicated to the development of

creative and innovative products and services, providing custom information solutions for its

strong client base. Services include tailored applications, web design, and e-commerce across

a broad spectrum of industries, to include healthcare, education, retail, finance and

manufacturing. Acme Corp.’s information environment supports over 500 employees across

10 departments with internet and intranet access and collaboration portals, and twenty

software development and test networks simulating a variety of client industry types.

Maintaining such a highly delicate environment requires significant planning for

implementation, security, cost and risk management. The Acme Corp. Information System

Security Plan (ISSP) defines the information security standards and procedures for assuring

the confidentiality, integrity, and availability of all information systems under control of the

organization.

Management

As for any ISSP, specific individuals or groups are responsible for the management

and execution of all security initiatives. NIST Special Publication 800-18 addresses the key

roles and responsibilities of these groups or individuals that are critical in the development,

planning and execution of the ISSP:

Chief Information Officer

The Chief Information Officer, or CIO, “is the agency official responsible for

developing and maintaining an agency-wide information security program” that delegates the

authority for system security planning to the agency’s information security officer (Swanson,
 4

Hash, & Bowen, 2006). Overall the CIO is to develop and maintain “information security

policies, procedures, and control techniques to address system security planning and manages

the “identification, implementation, and assessment of common security control” (Swanson et

al., 2006). Due to the significant role, and therefore the authorization to delegate his duties, it

is the CIO’s duty to ensure all other significant roles for the security of the information

environment are properly trained to execute the responsibilities on behalf of the organization.

Information System Owner

The Information System Owner plays a key role in the development of the ISSP. This

system owner is a direct link between the CIO and the enabling information system as it has

direct knowledge of the system and is “responsible for the overall procurement, development,

integration, modification, or operation and maintenance” (Swanson, et al., 2006). The system

owner is accountable for coordinating with all other stakeholders in the development and

maintenance of the ISSP in addition to modifying security controls as required.

Information Owner

The Information Owner (IO), has operational authority and control of the information

stored and processed by information systems. The billet is responsible for establishing

controls to properly safeguard and dispose of collected data. When developing the ISSP, the

IO contributes the establishment of appropriate rules for the “use and protection of the subject

data/information (rules of. behavior) and effective access and security controls specific to the

type of data (Swanson et al., 2006).

Chief Information Security Officer

The Chief Information Security Officer (CISO), is commonly the “agency official

responsible for serving as the CIO’s primary liaison to the agency’s” stakeholders charged
 5

with maintaining the information environment and planning and developing the ISSP

(Swanson et al., 2006). Oftentimes, the CIO delegates authority to the CISO to carry out

responsibilities for system security planning and accepts the plan after coordinating with

ISOs, Information System Security Officers and the Authorizing Official.

Information System Security Officer

The Information System Security Officer (ISSO) is overall required to ensure that the

“appropriate operational security posture is maintained for an information system or program”

(Swanson et al., 2006). Typically, ISSOs assist senior stakeholders in the identification and

implementation of security controls in order to ensure compliance and efficient development

of the ISSP.

Authorizing Official

The Authorizing Official (AO) is a senior management official authorized to formally

and legally assume the responsibility for the entire information environment at a level of risk

necessary to safely continue operations. Oftentimes the secondary role of the CIO or CISO,

the AO ultimately approves the ISSP and authorizes the operation of information systems in

the environment.

Information Security Steering Committee

The Information Security Steering Committee (ISSC) is a group of Acme Corp.’s

security staff, chaired by the CISO. The committee is responsible for recommending and

assisting in the coordination of company information security programs. The ISSC advises of

guidelines, standards, and industry best practices that would benefit the organization in

preserving the confidentiality, integrity and availability of Acme information systems. The
 6

steering committee consists of CISO, system owners, information owners, the information

system security officer, and selected system administrators.

System Administrator

System Administrators are responsible for the configuration and integration of

assigned systems into the Acme Corp. information environment. In terms of data security,

additional duties include ensuring assigned systems are their resources meet all information

security requirements, including continuous planning for business continuity in the event of

incident or disruption.

Planning

Extensive planning is required to implement a solid ISSP that addresses all security

controls based on the security categorization of Acme Corp.’s information systems. Not all

information processed by Acme systems is equal, with some data more critical to business

operations than others. As defined in NIST Special Publication (NIST SP) 800-53, Acme’s

information systems are categorized in moderate- and high-impact information systems that,

as a minimum, employ security controls from the moderate and high baseline of security

controls. The Acme systems supporting standard business operations, including storing and

processing corporate data, is categorized as a medium impact system while the separate

software development and test networks containing high risk proprietary source code are

categorized as high impact systems.

Moderate Impact Security Controls

The information systems supporting standard business operations (processing and

storage of corporate data, email services, and collaboration services) require security controls

from the moderate baseline of security controls as defined in NIST SP 800-53. Acme Corp.’s
 7

corporate data includes financial data, accounting data, human resource information as well as

vendor and client lists. Access control to these types of information is segmented and carried

out using the Brewer-Nash security model in order to preserve the integrity and

confidentiality of the data (Brewer & Nash, 1989).

High Impact Security Controls

The information systems supporting the software development and test networks are

logically segregated from the standard network and require security controls from the high

baseline of security controls as defined in NIST SP 800-53. Information processed on these

systems are the core of Acme’s business model and therefore highly sensitive and mission

critical. Acme employees’ work roles determine physical access to systems and logical

permissions to view and manipulate data. These role-based permissions are granted to

developers and management with need-to-know only, while systems are under continuous

monitoring and logging. Technical controls are in place to encrypt proprietary data using local

key infrastructure.

Contingency Planning

The first and foundational step in the contingency planning process for an ISSP is the

Business Impact Analysis (BIA). This BIA is used to project Acme’s risk and consequences

of a disruption of mission essential functions (MEFs) in order to further develop recovery

strategies (“Ready.gov Business Impact Analysis”, n.d.). During the BIA, critical information

systems are aligned to MEFs in addition to detailed analysis of impact of system disruption

and respective downtimes. A key benefit to this process is a realistic picture of which

resources are required and how recovery priorities for these system resources are identified

(Swanson, Bowen, Phillips, Gallup, & Lynes, 2010). This fundamental contingency planning
 8

step is arguably the most important as all follow-on planning actions depend on these BIA

results.

Incident Response Planning. The second component of contingency planning is the

development of an Incident Response Plan (IRP). It is a detailed collection of procedures for

mitigating and resolving malicious and anomalous incidents within the Acme Corp.’s

information environment. It is important to note that an IRP is fully reactionary in nature and

is not designed to prevent incidents from occurring (McCready, n.d.). Key personnel must be

identified to perform specific functions in response to an incident, based on industry best

practices, Acme’s security policies and most importantly, the BIA. Response actions can

adversely impact information systems that are critical to Acme’s support to its clients, so

careful planning is imperative to strike a reasonable balance between risk mitigation and

continuity of operations.

Disaster Recovery Planning. Major system disruptions with long term effects to

business functions require a detailed Disaster Recovery Plan (DRP). They are designed to

restore information system operations at an alternate location unaffected by the original cause

of disaster, whether man-made or natural. Included in the plan are necessary steps taken

during and after the incident occurs with the intent to incur little to no service interruption

(Swanson et al., 2010).

Business Continuity Planning. Procedures for sustaining MEFs during significant

disruptions are most appropriately detailed in the Business Continuity Plan (BCP). According

to Swanson et al (2010), a BCP is a “business process focused plan”, addressing the need to

sustain core business functions while infrastructure is restored after significant disruption. Not
 9

only does this plan decrease operational downtime but allows Acme to maintain a competitive

advantage should the degradation affect multiple competitors (Vitez, n.d.).

Risk Management

Acme Corp. shall manage risk by identifying, evaluating, controlling, monitoring, and

mitigating weaknesses that threaten information systems under its control. Risk can be

defined the likelihood of a threat event’s occurrence and its impact to the business should the

event occur and is illustrated in Figure 1.

Figure 1. Generic Risk model with key risk factors. Extracted from NIST SP 800-39

This risk management is a continuous process with periodic risk assessments and control

implementation. Triggers to these changes are any significant modification in the information

environment or discoveries of new vulnerabilities. Acme approaches its risk management

process as defined in NIST Special Publication 800-39 “Guide for Conducting Risk
 10

Assessments”. These processes include framing risk, assessing risk, responding to risk, and

monitor risk, as illustrated in Figure 2.

Figure 2. Risk assessment within the risk management process. Extracted from NIST SP 800-

39

Acme will first contextualize the risk by framing the environment in which risk decisions are

made in order to produce the risk management strategy to address how it will assess, respond

to, and monitor risk. This risk management strategy institutes the baseline and defines

boundaries for risk-based decisions. Secondly, Acme shall assess risk within the risk framing

context to identify threats, vulnerabilities and the adverse impact exploited vulnerabilities will

present. The third component of this process addresses how Acme Corp. responds to a

determined risk. This is critical step in providing an even, company-wide risk response by

developing courses of action, both primary and secondary, consistent with the organization’s

risk tolerance and then implementing the selected response action. Acme must not overlook

the fourth and final component in the risk assessment cycle – risk monitoring. Information
 11

environments change as much as the threat landscape. Therefore, it is essential to monitor the

effectiveness of risk responses and security controls throughout their use and verify that they

are still applicable and fulfilling security requirements.

The continuous risk assessment cycle translates to Acme Corp. by performing risk

assessments on all new systems and on systems with approved, significant changes. Before

systems are significantly modified or moved into an active production environment,

appropriate and reasonable measures must take place to address risks with identified

vulnerabilities. Monitoring will take place by conducting annual risk assessments on Acme

Corp. information systems and control measures will be implemented to fully remediate or

mitigate risk to an acceptable level. Third party software used in Acme’s environments will

be monitored for security alerts and bulletins and remediation will be coordinated with

providing vendor.

Recommendations to Management

The key elements described herein are minimum standards necessary for successful

implementation of a strong and secure information environment. The foundational, and likely

largest section of the ISSP is risk management as it lays the groundwork for any risk to the

company. All follow-on actions and decisions must be made within the context of all

identified risks. It is a continuous process and because it is reevaluated whenever changes

occur, controls based on risk assessments change as well. Organized management is key to

implementing the ISSP. Clear roles and responsibilities must be established, so security

initiatives and programs can function seamlessly with each other.

At the heart of the ISSP is extensive planning. As stated previously in this document,

not all information processed by Acme Corp. is equal, with some data more critical to the
 12

business than others. Therefore, careful planning is required to properly assess the impact

security incidents would have on different types of data, properly categorize them, and

implement appropriate security controls for their classification level. A key element within the

planning phase for an ISSP is preparing for possible contingencies. Business continuity

planning, incident response planning and disaster recovery planning must be conducted in

order to ensure security incidents do not adversely affect Acme’s business model and services

to its clients. It is imperative that roles and responsibilities of the security team are clearly

defined for increased efficacy of the ISSP and the ISSP is regularly updated.

Assessment of ISSP to Cyber Management

In a modern and rapidly evolving information environment, it behooves of businesses

to adopt minimum security controls to protect information systems in order to maximize

process efficacy while maintaining a secure standard. All security personnel must understand

the system security planning process as security is everyone’s responsibility and all have a

stake in the success of the process. A clear and concise ISSP enables executes, management

and IT personnel to see a clear picture on what their role is and where they must focus their

efforts. Organizations lacking an ISSP or do not maintain their existing ISSP are less likely to

effectively manage their risk to business. This results in lack of focus or consistency in IT

actions taken across the enterprise and can prove disastrous should security incidents occur

that disrupt business operations.

 13

References

Brewer, D. F., & Nash, M. J. (1989). The chinese wall security policy. Security and privacy,

1989. proceedings., 1989 ieee symposium on (pp. 206-214). IEEE.

Joint Task Force Transformation Initiative. (2012). Guide for conducting risk assessments.

NIST Special Publication 800-30 Revision 1.

Joint Task Force Transformation Initiative. (2013). Security and privacy controls for federal

information systems and organizations. NIST Special Publication 800-53 Revision 4.

McCready, J. (n.d.). Contingency planning [PowerPoint slides]. CSOL 550 Management and

Cyber Security, University of San Diego.

Ready.gov business impact analysis (n.d.). Retrieved from https://www.ready.gov/business-

impact-analysis

Swanson, M., Bowen, P., Phillips, A.W., Gallup, D., & Lynes, D. (2010). Contingency

planning guide for federal information systems. NIST Special Publication 800-34

Revision 1.

Swanson, M., Hash, J., & Bowen, P. (2006). Guide for developing security plans for federal

information systems. NIST Special Publication 800-18 Revision 1.

Vitez, O. (n.d.). Why use a business continuity plan? Retrieved from

https://smallbusiness.chron.com/use-business-continuity-plan-4525.html