0

Olympus AI

Sabrina Toubbeh

Cyber Management - CSOL 550

June 28, 2021

Professor Ron Fulton

 1

Table of Contents

1: Company Summary………………………………………………….……………pg 2
2: Management………………………………………………………….……………pg 2
3: Planning Management……………………………………………….………….…pg 3
4: Implementation Management…………………………………………………...…pg 8
5: Risk Management……………………………………………………………….…pg 8
6: Cost Management………………………………………………………………….pg 12
7: Recommendation…………………………….…………………………………….pg 15
8: Student Assessment of ISSP alignment to Cyber Management ….………………pg 15
References:…………………………………………………………………………....pg 17

1: Company Summary
 2

Olympus AI is a corporation that provides artificial intelligence (AI) solutions to the

United States military to support national defenses. Located in Long Beach, California, Fort

Meade, Maryland, and Austin Texas, Olympus AI is home for 1500 employees. The United

States is heavily invested in competing for innovative military AI applications against

international rivals and Olympus AI is leading the market providing the most advanced AI

systems (FAS.org)

1. Enterprise Architecture (System Description/Purpose)

a. Olympus AI has three data centers with its headquarters residing in Austin, Texas.

The remaining two data centers are located in Long Beach, California and Fort

Meade, Maryland. These data centers run and operate all of Olympus AI’s

mission critical systems. Olympus AI utilizes a Hub-and-Spoke distribution

model for data delivery between clients and the organization. Clients, the military

in our case, are able to access services and updates hosted on the cloud. Olympus

AI will utilize AWS GovCloud to keep in compliance with all state and federal

regulations.

2: Management
2.1 Roles and Responsibilities

Chief Executive Officer (CEO)

● The CEO is primarily responsible for approving and authorizing information

security systems and personnel

● Establishing the appropriate cybersecurity culture for their organization and

emphasize the importance of information security

Chief Information Officer (CIO)

 3

● Responsible for designating a Chief Information Security Officer (CISO)

● Executive head of the program who oversees the use of information technology

and reports directly to the CEO

● Approves policies, standards, guidelines and procedures consistent with federal

laws, regulations, and executive orders

Chief Information Security Officer (CISO)

● Runs the day-to-day operations of all the information security systems as directed

by the CIO

● Develops methods to implement and enforce security policies, standards, and

guidelines and ensure their organization is adaptable to evolving compliance

regulations

● Coordinates the identification, implementation, and assessment of security

controls

● Document performance and review security plan to ensure it is up to date

2.2 Planning Management

The CISO, CIO and applicable department heads are responsible for developing a security

plan. The security plan must be in compliance with all applicable laws, regulations,

standards and guidelines

2.3 Implementation Management

The CISO is fully responsible for the day-to-day implementation of the security plan

across all systems. The CIO is responsible for ensuring that the implementation meets the

requirements of Olympus AI

2.4 Risk Management

 4

The CISO is responsible for risk assessment and data classification. However, the CIO is

responsible for handling highly critical risks.

2.5 Human Resource Management

The Chief Human Resources Officer (CHRO) is responsible for overseeing all human

resource management activities. The CHRO is also responsible to implement policies

developed by the CISO and approved by the CIO.

2.6 Cost Management

The CIO is responsible for creating a cyber security budget that must be approved by the

Chief Financial Officer (CFO) and CEO. The CISO is responsible for implementing the

cyber security plan while staying within the approved budget.

3: Planning
3.1 Information Security Implementation (Security Controls)

Olympus AI is responsible for processing sensitive information for the United

States military. Our legal obligation is to develop processes that ensure the

confidentiality, integrity and availability of client data is not compromised and to

establish administrative, technical, and physical safeguards to protect unauthorized

access or use of this information. Olympus AI will utilize the NIST Risk Management

Framework (RMF) to manage information security and privacy risk and follow the

recommendations to meet the requirements of the Federal Information Security

Modernization Act (FISMA) (NIST, 2019).

3.1.1 Physical security:

Access to Olympus AI data centers should be restricted to those responsible for operation

and maintenance. Non-IT personnel are not permitted unless authorized and escorted by
 5

an IT staff member. All equipment must be physically protected from threats in locked

rooms that require badge access and biometric authentication. There will also be security

personnel outside every entry point to ensure tailgating does not occur.

3.1.2 Access control:

Olympus AI employees will implement least privilege access which gives users the

minimum level of access needed to perform their job functions. User access privileges

will be determined by system administrators. Two-factor authentication will be required

to access information systems. If an employee no longer works for Olympus AI, their

user access privileges must be revoked within 48 hours of leaving the company. All

employees must log time of entry, exit and what they were working on.

3.1.3 Website Data Security:

In order to protect Olympus AI internal and public-facing websites, the use of several

different steps will be followed: (CISA, 2020)

1. Secure domain ecosystems

a. Change all default passwords provided from your domain registrar

b. Enforce multi-factor authentication (MFA)

2. Secure user accounts

a. Enforce MFA on all accounts accessible on the internet

b. Implement the principle of least privilege access

3. Continuously scan and remediate for vulnerabilities

a. Patch all critical vulnerabilities

b. Secure data in transit

 6

4. Backup data

a. Keep backup media in a separate physical remote environment

5. Secure web servers

3.1.4 Mobile and Cloud service:

Olympus AI handles extremely sensitive government data therefore all personally owned

mobile devices (smartphones, tablets, laptops) will not be allowed to conduct any

company business. Instead, Olympus AI will provide corporate owned devices to

employees based on their job role and duties. Eligibility will be determined by Olympus

AI. This limits the risk of theft, loss, damage of devices, employee and corporate liability,

and allows real-time monitoring that enables the IT team to take immediate action when

an issue occurs (Gilmore).

3.1.5 Timely Integration of Information:

All automated reporting and monitoring tools must be in real-time to discover

vulnerabilities and anomalies right away. There must be members of the security team

who should always be available to respond to alerts in a timely manner.

3.1.6 Reliable Communication:

Due to the criticality of data Olympus AI processes, there must be a designated team of

cybersecurity staff available 24/7 via phone and email; teams will rotate shifts

accordingly. Cyber security teams are expected to respond immediately to all

communications.

3.1.7 System Development and Maintenance:

 7

System development and maintenance will follow all current standards and should be

updated as system events trigger the need for revision. The designated system owner is

responsible for coordinating system development (NIST, 2006).

3.2 Contingency Planning

In order to achieve resiliency, Olympus AI has developed policies and procedures to

respond, recover and continue operations after a disruption or disaster. With a good contingency

plan in place, Olympus AI can restore critical information system operations with limited

downtime, risk, and disruptions as much as possible. Having these procedures will also minimize

huge financial loss.

3.2.1 Natural Calamities:

In the event of a natural disaster, the IT team will begin the process of restoring service

following all necessary policies and procedures. Backups are also extremely critical in

the case where natural disasters can wipe out an entire system. Backups must be

encrypted, stored in a separate location and accessed by authorized personnel only.

3.2.2 Power Outage:

In the event of a power outage, employees should continue working from home or offsite

locations if permitted. If the power outage is system-wide, the procedures will be outlined

in the Business Continuity Plan. Employees will be notified when power has been

restored.

3.3 Business Continuity Plan

 8

Olympus AI has created a business continuity plan that provides policy and

guidance to ensure that the respective teams can respond effectively to a disruption and restore

services in a timely manner. In an effort to mitigate these potential risks and minimize system

downtime, Olympus AI will use its resources to backup data in a separate location. If a

disruption occurs, the backup will be utilized to restore operations as quickly as possible.

4: Implementation Management

4.1 Proposed Timeline/Execution

The proposed timeline for full implementation of the policies within the business

continuity plan is within 60 days of the authorization date. This data is subject to change

only by approval from the CIO or CISO.

4.2 Related Laws/Regulations/Policies

The business continuity plan must be in compliance with all federal and state laws,

regulations and policies. Anyone holding an executive level position is required to follow

regulations of financial practice and corporate governance under the Sarbanes-Oxley Act

(SoxLaw). All Olympus AI employees are required to be in compliance with applicable

laws, regulations, and policies. The BCP is responsible for overseeing the initiation,

planning, approval, testing and audit of the BCP.

5: Risk Management

The risk management process is a framework for the actions that need to be taken. The

framework includes 5 steps to manage a risk. It begins with identifying risks, completing an

assessment of the risks, prioritizing risks, developing a solution to implement, and monitoring

the risk. Olympus AI utilizes the NIST Risk Management Framework (RMF) which provides a

holistic and comprehensive risk management process.

 9

5.1 Risk Identification

Olympus AI will take the first step by identifying any risks the business is exposed to in its

operating environment. This includes legal risks, environmental risks, market risks,

regulatory risks, cyber security risks, and more.

5.2 Risk Assessment

Risk assessment should be carried out annually by the CIO and outside auditors as well.

Risks are identified and categorized by their expected frequency and impact level they

have on the business’s systems. Olympus AI will use the NIST Privacy Risk Assessment

Methodology (PRAM) to help in the assessment of risks (NIST, 2017).

5.3 Analysis & Prioritization

Each risk is scored based on probability of unauthorized access and financially,

operational, and reputational impact. Based on the score given, Olympus AI can prioritize

risks accordingly. Risks with a high impact and probability will be given the highest
 10

priority to mitigate. A low impact risk with a low probability of occurring will not be

prioritized.

5.4 Mitigation Planning, Implementation & Monitoring

Our implementation process will be dependent on the type of risks identified. Olympus AI

will define and implement proper security controls to help manage potential risks so they

are avoided or the likelihood of them occurring is minimized.

5.5 Classification of Risk

Risk classification will determine the appropriate security requirements for Olympus IT

systems. Risk classification will be defined using three elements: data classification,

availability requirements, and external obligations.

Table 1: FIPS 199 Categorization

 11

Provided by the FIPS Publication 199, each risk can further be classified based on

confidentiality, integrity, and availability and the impact levels.

5.6 Data Driven Risk

Olympus AI will monitor data in real-time to look for any patterns or anomalies. This

will allow the cybersecurity team to map data to risk events which can improve

assessment accuracy (Resolver).

5.7 Business Driven Risk

There needs to be a clear line of communication between the CEO ,CISO, and other C-

level executives to identify and assess risks that may impact the business’ objectives.

With this information, the security team can provide actionable threat intelligence

through the process of distillation and personalization of raw threat data (Spector, 2020).

Actionable threat intelligence offers security teams a clear path to remediation with the

use of simple and efficient processes to immediately counteract threats. Olympus AI will

be able to make better decisions by understanding and communicating information

security in terms of the impact to the overall business.

5.8 Event Driven Risk

With our continuous real-time monitoring solution, Olympus AI systems will be

protected from vulnerabilities by automatically detecting potential threats, reporting and

cleaning them. Any event that is triggered by a cybersecurity threat, event driven

architecture patterns can immediately respond to the threat without having to wait for a

response (Acuna, 2020). Even notifications will also prevent Olympus AI workflow from

being disrupted.
 12

6: Cost Management

6.1 Provide security infrastructure that reduces development costs

In an effort to reduce development costs, Olympus AI security infrastructure will

store all non-classified information in-house while outsourcing all Controlled

Unclassified Information (CUI) to AWS GovCloud(US). This hybrid architecture allows

us to reduce a considerable capital investment on IT hardware while offloading all the

expensive regulatory requirements for local, state, and federal governments.

6.2 Reduce operational costs

By outsourcing AWS GovCloud to handle sensitive information, we have cut our

operational costs down drastically. Outsourcing part of our security infrastructure allows

us to reduce labor costs, IT hardware expenses, and maintenance costs. AWS GovCloud

gives Olympus AI the “flexibility to architect secure cloud solutions that comply with the

FedRamp High baseline; the DOJ’s Criminal Justice Information Systems (CJIS)

Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export

Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing

Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-

1075; and other compliance regimes” (Amazon, 2019). Because AWS GovCloud offers

solutions that follow current standards and regulations, Olympus AI will not need to

spend a majority of its IT budget on a compliance program. A cloud environment also

gives Olympus AI the flexibility to scale any application which cuts down expenses on IT

hardware and software.

6.3 Reducing development costs

 13

By introducing security early into the software development process, Olympus AI can

map out the required features that are needed to operate. It is also necessary to clearly

document all the requirements at the start of the process to avoid expenses from incurring

in the future because they were not caught early on. Olympus AI will conduct several

tests throughout the early development stages to help identify any bugs that can be costly

to fix if spotted too late into the development cycle.

6.4 Cost of Security

Around 15-percent of Olympus AI IT budget will be utilized for cyber security. To find

the exact percentage that satisfies Olympus AI security requirements, a risk-based

approach and (Return on Investment) ROI calculation will be used to determine a more

accurate budget around 15%. According to ISACA, achieving an optimal balance

between opportunities and minimizing vulnerabilities is accomplished by ensuring the

impact of threats is within acceptable limits at an acceptable cost (NSCL). Using the ROI

calculation, Olympus AI can roughly estimate the number of incidents and potential cost

per incident to determine if the cost of countermeasures is appropriate (Kolochenko,

2015).

6.5 Planned costs

Planned annual costs will include: (Martin, 2019)

1. Full-time security team. All employees will be paid according to obtained

certifications, experience, skills and current industry rates.

2. Operational infrastructure security

a. Hardware and software costs to monitor network

3. Vulnerability management and security monitoring

 14

a. Vulnerability scanning software

b. Remediation of vulnerabilities

4. Governance, Risk and Compliance

a. Outsourcing AWS GovCloud: manages risk and meets regulatory

compliance requirements

6.6 Potential costs

Olympus AI has to be prepared for any potential risks that may occur internally or

externally. If AWS GovCloud gets attacked or a natural disaster destroys their servers,

Olympus AI may be subject to fines, unexpected recovery costs, ransomware, and more.

6.7 Comparative costs with industry

In order to protect our systems, Olympus’ AI has determined a ~15% budget is necessary.

While it is slightly higher than the industry average which is about 5.7%, Olympus AI

handles highly sensitive government information in order to help the US military’s

national defense (Crawley, 2020).

7: Analysis & Recommendation Management

7.1 Key Elements

There are key elements that must be considered for appropriate analysis and management

recommendation. Key stakeholders should be included and considered in the development

process to identify risks. Risk identification and assessments should always align with Olympus

AI’s business objectives. C-level executives should be involved in the development and

implementation process and not only when a risk occurs.

7.2 Conclusion and Future Work

 15

Risks will never cease to exist and it is our responsibility to manage them as they come.

The rapid growth of new technologies and cyber attacks makes this ISSP an evolving document

that needs to be consistently reviewed as well as updated to mitigate risks and protect Olympus

AI current and future business objectives. A key factor in managing risks is the on-going

education and training for Olympus AI employees.

8: Student Assessment of ISSP to Cyber Management

This ISSP provides a foundation of the organization’s approach to cybersecurity in multiple

domains. While it does exclude specific risks and controls, it highlights many important

processes and activities that support the system development life cycle. It provides an overview

of security requirements, cost considerations, responsibilities expected from individuals, and

analysis.
 16

References:

Acuna, S. (2020, November 5). How Implementing Event Driven Architecture Affects Your

Enterprise Systems.

Artificial Intelligence and National Security. (2020, November 10).

https://crsreports.congress.gov/product/pdf/R/R45178/5

AWS GovCloud (US). (n.d.). Retrieved from https://aws.amazon.com/govcloud-us/?whats-new-

ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc

Budgeting for Cybersecurity. (n.d.). Retrieved from

https://www.ncsl.org/documents/taskforces/Budgeting_For_Cybersecurity_32041.pdf

Crawley, K. (2020, May 5). Cybersecurity budgets explained: How much do companies

spend on cybersecurity? https://cybersecurity.att.com/blogs/security-essentials/how-to-

justify-your-cybersecurity-budget
 17

Effective and Efficient Security By Ilia Kolochenko, & Kolochenko, I. (2015, December 01).

How to calculate ROI and justify your cybersecurity budget.

https://www.csoonline.com/article/3010007/how-to-calculate-roi-and-justify-your-

cybersecurity-budget.html

Gilmore, R. (2019, October 23). Benefits and Disadvantages of BYOD (Bring Your Own

Device). https://protus3.com/benefits-and-disadvantages-of-byod/

Martin, B. (2019, November 29). Three benchmarks to inform cyber security spending plans

for 2020. https://insights.integrity360.com/security-spending

NIST Risk Management Framework. (2016, November 30). https://csrc.nist.gov/Projects/risk-

management

Risk Assessment Tools NIST. (2018, October 28). https://www.nist.gov/itl/applied-

cybersecurity/privacy-engineering/collaboration-space/focus-areas/risk-assessment/tools

Security tip (st18-006). (2018, November 1). https://us-cert.cisa.gov/ncas/tips/ST18-006

Spector, J. (2020, October 29). Actionable Threat Intelligence: What is it?

https://www.zerofox.com/blog/actionable-threat-intelligence/

BLACKBOARD (NIST) https://learn-us-east-1-prod-fleet02-

xythos.learn.cloudflare.blackboardcdn.com/5c2103143e6a3/1065405?X-Blackboard-

Expiration=1624330800000&X-Blackboard-Signature=x7ztNM4douqNZ21OtAxKjT6Vm

%2B8LkpvAiuCb2cSiPSo%3D&X-Blackboard-Client-Id=962616&response-cache-

control=private%2C%20max-age%3D21600&response-content-disposition=inline%3B
 18

%20filename%2A%3DUTF-8%27%27NIST800.pdf&response-content-type=application

%2Fpdf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20210621T210000Z&X-

Amz-SignedHeaders=host&X-Amz-Expires=21600&X-Amz-

Credential=AKIAZH6WM4PL5SJBSTP6%2F20210621%2Fus-east-

1%2Fs3%2Faws4_request&X-Amz-

Signature=3e6ed050f71336763623c3944807541f2a6ed4f52229da70771eecadfbc2271e

Taking a Data-Driven Approach to Making Risk-based Decisions. (2020, June 26).

https://www.resolver.com/resource/taking-data-driven-approach-making-risk-based-

decisions/

The Sarbanes-Oxley (SOX) Act of 2002: Information & resources. (2021, June 11).

https://www.soxlaw.com/