Whiptail Networks

Information Systems Security Plan

By
Jeffrey Ryan
CSOL 550 Management and Cyber Security
Table of Contents
Executive Summary .................................................................................................................................. 1
1. Company Summary ................................................................................................................... 1
2. Information System Identification, Classification, and Status .................................................. 1
2.1. Identification ............................................................................................................................. 1
2.2. Classification ............................................................................................................................. 2
2.3. Status ......................................................................................................................................... 3
3. Management .............................................................................................................................. 3
3.1. Roles and Responsibilities......................................................................................................... 3
3.1.1. Chief Information Officer ......................................................................................................... 3
3.1.2. Information System Owner ....................................................................................................... 4
3.1.3. Information Owner .................................................................................................................... 5
3.1.4. Senior Agency Information Security Officer (SAISO) ............................................................. 5
3.1.5. Information System Security Officer ........................................................................................ 6
3.1.6. Authorizing Official .................................................................................................................. 6
3.2. Planning Management ............................................................................................................... 7
3.3. Implementation Management .................................................................................................... 7
3.4. Risk Management ...................................................................................................................... 7
3.5. Human Resource Management.................................................................................................. 7
3.6. Cost Management ...................................................................................................................... 7
4. Planning ..................................................................................................................................... 7
4.1. Information System Security Controls Implementation Planning ............................................. 7
4.1.1. Physical Security ....................................................................................................................... 8
4.1.2. Access Control .......................................................................................................................... 8
4.1.3. Website Data Security ............................................................................................................... 8
4.1.4. Mobile and Cloud Service ......................................................................................................... 8
4.1.5. Reliable Communication ........................................................................................................... 8
4.1.6. System Development and Maintenance .................................................................................... 8
4.2. Business Continuity Planning ................................................................................................... 8
4.2.1. Contingency Plans ..................................................................................................................... 8
5. Implementation Management .................................................................................................... 8
5.1. Proposed Timeline/Execution ................................................................................................... 8
5.2. Budget ....................................................................................................................................... 9
6. Risk Management ...................................................................................................................... 9
6.1. Risk Identification ..................................................................................................................... 9
6.2. Risk Assessment ........................................................................................................................ 9
6.3. Analysis, Classification, and Prioritization ............................................................................... 9
6.4. Mitigation Planning, Implementation, and Monitoring ............................................................. 9
6.5. Risk Tracking ............................................................................................................................ 9
6.6. Risk Types (data driven, business driven, and event driven) .................................................... 9
7. Applicable Laws or Regulations Affecting the System............................................................. 9
8. Analysis and Recommendation ............................................................................................... 10
8.1. Key Findings ........................................................................................................................... 10
8.2. Conclusion and Future Work .................................................................................................. 10
9. Information System Security Plan Completion Date .............................................................. 10
10. Information System Security Plan Approval Date .................................................................. 11
References ............................................................................................................................................... 12
Executive Summary
The Information Systems Security Plan (ISSP) is a plan to provide sufficient but cost-effective
cyber security for Whiptail Network, Inc. information systems. Input from stakeholders
including management, information owners, and information system operators was collected for
development of this plan. The system security plan delineates responsibilities and expected
behavior of all individuals who access the system.
The purpose of this security plan is to provide an overview of the security of the Whiptail
Networks system and describe the controls and critical elements in place or planned for, based on
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,
Recommended Security Controls for Federal Information Systems. This ISSP follows guidance
contained in NIST SP 800-18, Guide for Developing Security Plans for Federal Information
Systems.
This ISSP provides an overview of the security requirements for the Whiptail Networks system
and describes the controls in place or planned for implementation to provide a level of security
appropriate for the information processed as of the date indicated in the approval page.
1. Company Summary
Whiptail Networks designs, develops, and sells products and professional services that allow
customers to build robust enterprise scale networks capable of handling the demands of
today’s bandwidth hungry devices and applications. Since our founding in 2013, our mission
has been to “simplify networking complexities through the use of innovative ideas and
superior versatility”. Our first product was made generally available in 2015 and focused on
medium sized organizations. Since then, we have become a publicly traded company and
expanded our product portfolio to include the small office home office (SOHO) market all
the way up to Fortune 500 companies. Whiptail Network’s vision of the future builds upon
our existing products to enable customers to operate their business networks as efficiently
and seamlessly as possible.
2. Information System Identification, Classification, and Status
The first step in development of an ISSP is to identify and classify organization information
system(s) according to Federal Information Processing Standards Publication (FIPS)
Publication 199, Standards for Security Categorization of Federal Information and
Information Systems (NIST, 2006).
2.1. Identification
System Name Whiptail Networks Information
System

System Label General Support

Table 1 Information System Name and Label

Page | 1
2.2. Classification
Identify the appropriate FIPS 199 categorization based on the types of information
handled by the system. Use Table 1 as reference for determining the appropriate impact
levels.

FIPS 199 Guide for Developing Security Plans for Federal Information Systems
POTENTIAL IMPACT

Security LOW MODERATE HIGH

Objective
Confidentiality The unauthorized The unauthorized The unauthorized
disclosure of information disclosure of information disclosure of information
Preserving authorized
could be expected to have could be expected to have could be expected to have
restrictions on
a limited adverse effect a serious adverse effect a severe or
information access and
on organizational on organizational catastrophic adverse
disclosure, including
operations, organizational operations, organizational effect on organizational
means for protecting
assets, or individuals. assets, or individuals. operations, organizational
personal privacy and
assets, or individuals.
proprietary information.
[44 U.S.C., SEC. 3542]

Integrity The unauthorized The unauthorized The unauthorized

modification or modification or modification or
Guarding against
destruction of information destruction of information destruction of information
improper information
could be expected to have could be expected to have could be expected to have
modification or
a limited adverse effect a serious adverse effect a severe or
destruction, and includes
on organizational on organizational catastrophic adverse
ensuring information
operations, organizational operations, organizational effect on organizational
non-repudiation and
assets, or individuals. assets, or individuals. operations, organizational
authenticity.
assets, or individuals.
[44 U.S.C., SEC. 3542]

Availability
Ensuring timely and
reliable access to and use
of information.
[44 U.S.C., SEC. 3542]
The disruption of access
to or use of information or
an information system
could be expected to have
a limited adverse effect
on organizational
operations, organizational
assets, or individuals.
The disruption of access
to or use of information or
an information system
could be expected to have
a serious adverse effect
on organizational
operations, organizational
assets, or individuals.
The disruption of access
to or use of information or
an information system
could be expected to have
a severe or
catastrophic adverse
effect on organizational
operations, organizational
assets, or individuals.

Table 2 FIPS 199 Categorization

Page | 2
 Information Type Confidentiality Integrity Availability
(HIGH/MOD/LOW) (HIGH/MOD/LOW) (HIGH/MOD/LOW)

Intellectual Property High High High

Business Confidential High High Mod

Business Public Low Mod Mod

Highest Information High High High

Type Impact

Table 3 Information Types and Categorization

LOW MODERATE HIGH

Confidentiality X

Integrity X

Availability X

Table 4 Highest Potential Impact of Primary Security Objectives

Overall system categorization HIGH

Table 5 Overall System Categorization

2.3. Status
Indicate the operational status of the system.

Operational Under Development Major Modification

Table 6 Information System Operational Status

3. Management
This section describes key roles and their responsibilities, in addition to the various forms of
management necessary to the ISSP including planning, implementation, risk assessment,
human resources, and cost management.
3.1. Roles and Responsibilities
3.1.1. Chief Information Officer
The Chief Information Officer (CIO) is responsible for developing and
maintaining Whiptail Network’s organization-wide information security program.
The CIO responsibilities include (NIST, 2006):
 Designating a senior agency information security officer (SAISO)

Page | 3
  Developing and maintaining information security policies, procedures, and
control capabilities that focus on system security planning
 Managing selection, implementation, and assessment of security controls
 Ensuring personnel with ISSP responsibilities are adequately trained
 Assisting Whiptail Network executives with their ISSP responsibilities
3.1.2. Information System Owner
The information system owner is responsible for the procurement, development,
integration, modification, or operation and maintenance of the information
system. The information system owner responsibilities include (NIST, 2006):
 Developing the ISSP with the help of information owners, the system
administrator, the information system security officer, the SAISO, and end
users
 Maintaining the ISSP and ensuring the system is deployed and operated
according to plan requirements
 Ensuring system users and support personnel receive adequate security
training
 Updating the ISSP when changes warrant
 Assisting in the selection, implementation, and assessment of security
controls

System Owner’s Name

Title

Organization/Division

Address

Email

Phone #1

Phone #2

Signature

Date

Table 7 Information System Owner Details

Page | 4
3.1.3. Information Owner
The information owner is responsible for establishing the controls for information
generation, collection, processing, dissemination, and disposal. The information
owner responsibilities include (NIST, 2006):
 Establishing the rules for appropriate use and protection of applicable
information
 Providing input to information system owners with respect to information
security requirements and security controls for any information system
where applicable information resides
 Deciding access control and user privileges for the information system
 Assisting in the selection and assessment of security controls where
applicable
3.1.4. Senior Agency Information Security Officer (SAISO)
The senior agency information security officer is responsible for serving as the
CIO’s primary liaison to information system owners and information system
security officers. SAISO responsibilities include (NIST, 2006):
 Fulfilling the CIO’s responsibilities for system security planning
 Coordinating the development, review, and acceptance of the ISSP with
information system owners, information system security officers, and the
authorizing official
 Coordinating the selection, implementation, and assessment of security
controls
 Retaining professional training and experience necessary to develop and
review ISSPs

Page | 5
 Name, title, address, email address, and phone number of person who is
responsible for the security of the system.

Name

Title

Organization/Division

Address

Email

Phone #1

Phone #2

Signature

Date

Table 8 Senior Agency Information Security Officer Details

3.1.5. Information System Security Officer

The information system security officer, designated by the SAISO, authorizing
official, Whiptail Networks management, or information system owner, is
responsible for ensuring the proper operational security posture is maintained for
the information system. Information system security officer responsibilities
include (NIST, 2006):
 Assisting the SAISO in the selection, implementation, and assessment of
security controls
 Playing a role in developing and updating the ISSP in addition to
coordinating with the information system owner regarding system changes
and their security impacts
3.1.6. Authorizing Official
The authorizing official has the authority to assume responsibility for operating an
information system at an acceptable level of risk to the organization. Authorizing
official responsibilities include (NIST, 2006):
 Approving the ISSP
 Authorizing operation of the information system
 Issuing temporary authorizations to operate information systems under
specific terms and conditions

Page | 6
  Denying and/or rescind authorizations to operate information systems if
risk to the organization is too great
Senior management official designated as the authorizing official.

Authorizing Official’s Name

Title

Organization/Division

Address

Email

Phone #1

Phone #2

Signature

Date

Table 9 Authorizing Official Details

3.2. Planning Management

Subsection devoted to planning management requirements and responsibilities.
3.3. Implementation Management
Subsection devoted to implementation management requirements and responsibilities.
3.4. Risk Management
Subsection devoted to risk management requirements and responsibilities.
3.5. Human Resource Management
Subsection devoted to human resource management requirements and responsibilities.
3.6. Cost Management
Subsection devoted to cost management requirements and responsibilities.
4. Planning
This section describes the planning requirements necessary for the implementation of
information system security controls and business continuity plans.
4.1. Information System Security Controls Implementation Planning
The Whiptail Networks information system requires security controls divided into the
following subsections.

Page | 7
 4.1.1. Physical Security
Subsection devoted to physical security control planning.
4.1.2. Access Control
Subsection devoted to access control planning.
4.1.3. Website Data Security
Subsection devoted to website data security control planning.
4.1.4. Mobile and Cloud Service
Subsection devoted to mobile and cloud service security control planning.
4.1.5. Reliable Communication
Subsection devoted to communication resiliency security control planning.
4.1.6. System Development and Maintenance
Subsection devoted to system development and maintenance security control
planning.
4.2. Business Continuity Planning
Business continuity planning consists of performing a business impact analysis to
identify critical business functions, determine what is needed to recover each of the
identified functions, develop a business continuity plan (BCP) for reference during a
disruption, and periodically testing the effectiveness of the plan by performing tabletop
or mock exercises (Department of Homeland Security, n.d.).
Business continuity plans consist of the BCP, contingency plans, and disaster recovery
plans, all separate documents that are mentioned in this ISSP to capture the creation of
them as a requirement.
4.2.1. Contingency Plans
A contingency plan is a course of action the organization would take if a situation
occurs (Britton, 2016). Organizations often have multiple contingency plans, each
one focused on specific situations with a unique sequence of actions. Contingency
plans should cover natural disasters such as earthquakes, fire, or floods,
equipment failures including power outages, and manmade events such as data
breaches, human error, and equipment misconfiguration.
5. Implementation Management
This section describes the implementation management requirements with respect to
scheduling and budget.
5.1. Proposed Timeline/Execution
This subsection proposes an ISSP schedule from development to completion.

Page | 8
 5.2. Budget
This subsection of the ISSP describes cost management, such as ways to reduce
operational costs, the cost of security overall, planned costs, potential costs, and how
costs compare with similar organizations within the industry.
6. Risk Management
This section of the ISSP describes risk management including risk identification, assessment,
prioritization, classification, mitigation, tracking, and types of risk.
6.1. Risk Identification
Subsection devoted to risk identification.
6.2. Risk Assessment
Subsection devoted to the assessment of identified risks.
6.3. Analysis, Classification, and Prioritization
Subsection devoted to analysis, classification, and prioritization of identified risks.
6.4. Mitigation Planning, Implementation, and Monitoring
Subsection devoted to risk mitigation planning, implementation, and monitoring.
6.5. Risk Tracking
Subsection devoted to risk tracking.
6.6. Risk Types (data driven, business driven, and event driven)
Subsection devoted to the different types of risk.
7. Applicable Laws or Regulations Affecting the System
The following is a list of laws, regulations, and regulatory guidance that the Whiptail
Networks information system complies with.
 Sarbanes-Oxley (SOX) Act of 2002
A law that came about due to the fraudulent activities of Enron and WorldCom. SOX
ensures accurate and reliable corporate disclosures with respect to corporate
accounting, bans illegal loans to executives, and protects whistleblowers.

SOX requires security policies and annual testing of security controls implemented as
a result of this ISSP (Johnson, 2015).
 Computer Fraud and Abuse Act of 1986
Whiptail Networks computers with Internet connectivity have inter-state
communication capabilities and therefore fall under the jurisdiction of this law, which
prohibits unauthorized access, privilege escalation, and damage to protected
computers (Freeman, 2017).
 FIPS 199 – Standards for Security Categorization of Federal Information and
Information Systems, February 2004

Page | 9
  NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal
Information Systems, February 2006
 NIST SP 800-30 Rev. 1 – Risk Management Guide for Information Technology
Systems, September 2012
 NIST SP 800-34 Rev. 1 – Contingency Planning Guide for Information Technology
Systems, May 2010
 NIST SP 800-53 Rev. 4 – Security and Privacy Controls for Federal Information
Systems and Organizations, April 2013
 NIST SP 800-60 Rev. 1 – Volume I & II Guide for Mapping Types of Information
and Information Systems to Security Categories
8. Analysis and Recommendation
8.1. Key Findings
 The ISSP must layout who is responsible for all parts of the plan, from initiating,
developing, and implementing to reviewing, maintaining, and completing.
 All types of information transmitted and stored within the information system
need proper categorization in order to select appropriate security controls that
will mitigate risk to levels deemed acceptable to the organization.
 Identification of risk is equally important to identification of information. Failure
to properly assess, analyze, and prioritize risk will also result in inappropriate
security controls.
 Improperly prioritized risk could cause substantial resource expenditures on
solutions that don’t mitigate risk efficiently if at all.
 A suitable configuration change management system is necessary to keep track
of information system changes, which may warrant updates to the ISSP.
8.2. Conclusion and Future Work
This ISSP briefly describes the organization it is developed for, Whiptail Networks. It
goes on to identify information system(s) and their categorizations, key ISSP roles and
their responsibilities, and a description of minimum security controls necessary to
reduce risk to acceptable levels. Development and implementation of an ISSP requires a
great deal of planning, including a business continuity strategy, estimated costs, risk
assessments, and implementation details. The ISSP culminates in a list of applicable
laws and regulations the information system is subject to.
This ISSP is a living document that will be updated periodically to incorporate new
and/or modified security controls. The plan will be revised as the changes occur to the
system, the data, or the technical environment in which the system operates.
9. Information System Security Plan Completion Date
Enter the completion date of the plan.
Date: __________________________

Page | 10
10. Information System Security Plan Approval Date
Enter the date the system security plan was approved and indicate if the approval documentation
is attached or on file.
Date: __________________________

Page | 11
References
National Institute of Standards and Technology. (2006) Guide for Developing Security Plans for
Federal Information Systems (NIST SP 800-18 Rev 1).
Johnson, R. (2015) Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones
& Bartlett Learning.
Department of Homeland Security. (n.d.) Business Continuity Plan. Retrieved from
https://www.ready.gov/business/implementation/continuity
Britton, C. (2016) What is a Business Contingency Plan & How to Create One. Retrieved from
https://www.rockdovesolutions.com/blog/what-is-a-business-contingency-plan-how-to-create-
one
Freeman, J. (2017) The Computer Fraud and Abuse Act (CFAA). Retrieved from
https://www.freemanlaw-pllc.com/computer-fraud-abuse-act-cfaa/

Portions of this ISSP are based on the following ISSP templates:

The Department of Housing and Urban Development – System Security Plan (SSP) Template.
Retrieved from https://www.hud.gov/sites/documents/DOC_15139.doc
Georgia Technology Authority – Information System Security Plan Template. Retrieved from
https://gta.georgia.gov/sites/gta.georgia.gov/files/related_files/document/Information%20System
%20Security%20Plan%20Template.doc

Page | 12