Professional Documents
Culture Documents
Olympus AI
Sabrina Toubbeh
Table of Contents
1: Company Summary………………………………………………….……………pg 2
2: Management………………………………………………………….……………pg 2
3: Planning Management……………………………………………….………….…pg 3
4: Implementation Management…………………………………………………...…pg 8
5: Risk Management……………………………………………………………….…pg 8
6: Cost Management………………………………………………………………….pg 12
7: Recommendation…………………………….…………………………………….pg 15
8: Student Assessment of ISSP alignment to Cyber Management ….………………pg 15
References:…………………………………………………………………………....pg 17
1: Company Summary
2
United States military to support national defenses. Located in Long Beach, California, Fort
Meade, Maryland, and Austin Texas, Olympus AI is home for 1500 employees. The United
international rivals and Olympus AI is leading the market providing the most advanced AI
systems (FAS.org)
a. Olympus AI has three data centers with its headquarters residing in Austin, Texas.
The remaining two data centers are located in Long Beach, California and Fort
Meade, Maryland. These data centers run and operate all of Olympus AI’s
model for data delivery between clients and the organization. Clients, the military
in our case, are able to access services and updates hosted on the cloud. Olympus
AI will utilize AWS GovCloud to keep in compliance with all state and federal
regulations.
2: Management
2.1 Roles and Responsibilities
● Executive head of the program who oversees the use of information technology
● Runs the day-to-day operations of all the information security systems as directed
by the CIO
regulations
controls
The CISO, CIO and applicable department heads are responsible for developing a security
plan. The security plan must be in compliance with all applicable laws, regulations,
The CISO is fully responsible for the day-to-day implementation of the security plan
across all systems. The CIO is responsible for ensuring that the implementation meets the
requirements of Olympus AI
The CISO is responsible for risk assessment and data classification. However, the CIO is
The Chief Human Resources Officer (CHRO) is responsible for overseeing all human
The CIO is responsible for creating a cyber security budget that must be approved by the
Chief Financial Officer (CFO) and CEO. The CISO is responsible for implementing the
3: Planning
3.1 Information Security Implementation (Security Controls)
States military. Our legal obligation is to develop processes that ensure the
access or use of this information. Olympus AI will utilize the NIST Risk Management
Framework (RMF) to manage information security and privacy risk and follow the
Access to Olympus AI data centers should be restricted to those responsible for operation
and maintenance. Non-IT personnel are not permitted unless authorized and escorted by
5
an IT staff member. All equipment must be physically protected from threats in locked
rooms that require badge access and biometric authentication. There will also be security
personnel outside every entry point to ensure tailgating does not occur.
Olympus AI employees will implement least privilege access which gives users the
minimum level of access needed to perform their job functions. User access privileges
to access information systems. If an employee no longer works for Olympus AI, their
user access privileges must be revoked within 48 hours of leaving the company. All
employees must log time of entry, exit and what they were working on.
In order to protect Olympus AI internal and public-facing websites, the use of several
4. Backup data
Olympus AI handles extremely sensitive government data therefore all personally owned
mobile devices (smartphones, tablets, laptops) will not be allowed to conduct any
employees based on their job role and duties. Eligibility will be determined by Olympus
AI. This limits the risk of theft, loss, damage of devices, employee and corporate liability,
and allows real-time monitoring that enables the IT team to take immediate action when
vulnerabilities and anomalies right away. There must be members of the security team
Due to the criticality of data Olympus AI processes, there must be a designated team of
cybersecurity staff available 24/7 via phone and email; teams will rotate shifts
communications.
System development and maintenance will follow all current standards and should be
updated as system events trigger the need for revision. The designated system owner is
respond, recover and continue operations after a disruption or disaster. With a good contingency
plan in place, Olympus AI can restore critical information system operations with limited
downtime, risk, and disruptions as much as possible. Having these procedures will also minimize
In the event of a natural disaster, the IT team will begin the process of restoring service
following all necessary policies and procedures. Backups are also extremely critical in
the case where natural disasters can wipe out an entire system. Backups must be
In the event of a power outage, employees should continue working from home or offsite
locations if permitted. If the power outage is system-wide, the procedures will be outlined
in the Business Continuity Plan. Employees will be notified when power has been
restored.
Olympus AI has created a business continuity plan that provides policy and
guidance to ensure that the respective teams can respond effectively to a disruption and restore
services in a timely manner. In an effort to mitigate these potential risks and minimize system
downtime, Olympus AI will use its resources to backup data in a separate location. If a
disruption occurs, the backup will be utilized to restore operations as quickly as possible.
4: Implementation Management
The proposed timeline for full implementation of the policies within the business
continuity plan is within 60 days of the authorization date. This data is subject to change
The business continuity plan must be in compliance with all federal and state laws,
regulations and policies. Anyone holding an executive level position is required to follow
regulations of financial practice and corporate governance under the Sarbanes-Oxley Act
laws, regulations, and policies. The BCP is responsible for overseeing the initiation,
5: Risk Management
The risk management process is a framework for the actions that need to be taken. The
framework includes 5 steps to manage a risk. It begins with identifying risks, completing an
assessment of the risks, prioritizing risks, developing a solution to implement, and monitoring
the risk. Olympus AI utilizes the NIST Risk Management Framework (RMF) which provides a
Olympus AI will take the first step by identifying any risks the business is exposed to in its
operating environment. This includes legal risks, environmental risks, market risks,
Risk assessment should be carried out annually by the CIO and outside auditors as well.
Risks are identified and categorized by their expected frequency and impact level they
have on the business’s systems. Olympus AI will use the NIST Privacy Risk Assessment
operational, and reputational impact. Based on the score given, Olympus AI can prioritize
risks accordingly. Risks with a high impact and probability will be given the highest
10
priority to mitigate. A low impact risk with a low probability of occurring will not be
prioritized.
Our implementation process will be dependent on the type of risks identified. Olympus AI
will define and implement proper security controls to help manage potential risks so they
Risk classification will determine the appropriate security requirements for Olympus IT
systems. Risk classification will be defined using three elements: data classification,
Provided by the FIPS Publication 199, each risk can further be classified based on
Olympus AI will monitor data in real-time to look for any patterns or anomalies. This
will allow the cybersecurity team to map data to risk events which can improve
There needs to be a clear line of communication between the CEO ,CISO, and other C-
level executives to identify and assess risks that may impact the business’ objectives.
With this information, the security team can provide actionable threat intelligence
through the process of distillation and personalization of raw threat data (Spector, 2020).
Actionable threat intelligence offers security teams a clear path to remediation with the
use of simple and efficient processes to immediately counteract threats. Olympus AI will
cleaning them. Any event that is triggered by a cybersecurity threat, event driven
architecture patterns can immediately respond to the threat without having to wait for a
response (Acuna, 2020). Even notifications will also prevent Olympus AI workflow from
being disrupted.
12
6: Cost Management
operational costs down drastically. Outsourcing part of our security infrastructure allows
us to reduce labor costs, IT hardware expenses, and maintenance costs. AWS GovCloud
gives Olympus AI the “flexibility to architect secure cloud solutions that comply with the
FedRamp High baseline; the DOJ’s Criminal Justice Information Systems (CJIS)
Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-
1075; and other compliance regimes” (Amazon, 2019). Because AWS GovCloud offers
solutions that follow current standards and regulations, Olympus AI will not need to
gives Olympus AI the flexibility to scale any application which cuts down expenses on IT
By introducing security early into the software development process, Olympus AI can
map out the required features that are needed to operate. It is also necessary to clearly
document all the requirements at the start of the process to avoid expenses from incurring
in the future because they were not caught early on. Olympus AI will conduct several
tests throughout the early development stages to help identify any bugs that can be costly
Around 15-percent of Olympus AI IT budget will be utilized for cyber security. To find
approach and (Return on Investment) ROI calculation will be used to determine a more
impact of threats is within acceptable limits at an acceptable cost (NSCL). Using the ROI
calculation, Olympus AI can roughly estimate the number of incidents and potential cost
2015).
b. Remediation of vulnerabilities
compliance requirements
Olympus AI has to be prepared for any potential risks that may occur internally or
externally. If AWS GovCloud gets attacked or a natural disaster destroys their servers,
Olympus AI may be subject to fines, unexpected recovery costs, ransomware, and more.
In order to protect our systems, Olympus’ AI has determined a ~15% budget is necessary.
While it is slightly higher than the industry average which is about 5.7%, Olympus AI
There are key elements that must be considered for appropriate analysis and management
process to identify risks. Risk identification and assessments should always align with Olympus
AI’s business objectives. C-level executives should be involved in the development and
Risks will never cease to exist and it is our responsibility to manage them as they come.
The rapid growth of new technologies and cyber attacks makes this ISSP an evolving document
that needs to be consistently reviewed as well as updated to mitigate risks and protect Olympus
AI current and future business objectives. A key factor in managing risks is the on-going
domains. While it does exclude specific risks and controls, it highlights many important
processes and activities that support the system development life cycle. It provides an overview
analysis.
16
References:
Acuna, S. (2020, November 5). How Implementing Event Driven Architecture Affects Your
Enterprise Systems.
https://crsreports.congress.gov/product/pdf/R/R45178/5
ess.sort-by=item.additionalFields.postDateTime&whats-new-ess.sort-order=desc
https://www.ncsl.org/documents/taskforces/Budgeting_For_Cybersecurity_32041.pdf
Crawley, K. (2020, May 5). Cybersecurity budgets explained: How much do companies
justify-your-cybersecurity-budget
17
Effective and Efficient Security By Ilia Kolochenko, & Kolochenko, I. (2015, December 01).
https://www.csoonline.com/article/3010007/how-to-calculate-roi-and-justify-your-
cybersecurity-budget.html
Gilmore, R. (2019, October 23). Benefits and Disadvantages of BYOD (Bring Your Own
Device). https://protus3.com/benefits-and-disadvantages-of-byod/
Martin, B. (2019, November 29). Three benchmarks to inform cyber security spending plans
management
cybersecurity/privacy-engineering/collaboration-space/focus-areas/risk-assessment/tools
https://www.zerofox.com/blog/actionable-threat-intelligence/
xythos.learn.cloudflare.blackboardcdn.com/5c2103143e6a3/1065405?X-Blackboard-
Expiration=1624330800000&X-Blackboard-Signature=x7ztNM4douqNZ21OtAxKjT6Vm
%2B8LkpvAiuCb2cSiPSo%3D&X-Blackboard-Client-Id=962616&response-cache-
control=private%2C%20max-age%3D21600&response-content-disposition=inline%3B
18
%20filename%2A%3DUTF-8%27%27NIST800.pdf&response-content-type=application
%2Fpdf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20210621T210000Z&X-
Amz-SignedHeaders=host&X-Amz-Expires=21600&X-Amz-
Credential=AKIAZH6WM4PL5SJBSTP6%2F20210621%2Fus-east-
1%2Fs3%2Faws4_request&X-Amz-
Signature=3e6ed050f71336763623c3944807541f2a6ed4f52229da70771eecadfbc2271e
https://www.resolver.com/resource/taking-data-driven-approach-making-risk-based-
decisions/
The Sarbanes-Oxley (SOX) Act of 2002: Information & resources. (2021, June 11).
https://www.soxlaw.com/