Академический Документы
Профессиональный Документы
Культура Документы
By
Jeffrey Ryan
CSOL 550 Management and Cyber Security
Table of Contents
Executive Summary .................................................................................................................................. 1
1. Company Summary ................................................................................................................... 1
2. Information System Identification, Classification, and Status .................................................. 1
2.1. Identification ............................................................................................................................. 1
2.2. Classification ............................................................................................................................. 2
2.3. Status ......................................................................................................................................... 3
3. Management .............................................................................................................................. 3
3.1. Roles and Responsibilities......................................................................................................... 3
3.1.1. Chief Information Officer ......................................................................................................... 3
3.1.2. Information System Owner ....................................................................................................... 4
3.1.3. Information Owner .................................................................................................................... 5
3.1.4. Senior Agency Information Security Officer (SAISO) ............................................................. 5
3.1.5. Information System Security Officer ........................................................................................ 6
3.1.6. Authorizing Official .................................................................................................................. 6
3.2. Planning Management ............................................................................................................... 7
3.3. Implementation Management .................................................................................................... 7
3.4. Risk Management ...................................................................................................................... 7
3.5. Human Resource Management.................................................................................................. 7
3.6. Cost Management ...................................................................................................................... 7
4. Planning ..................................................................................................................................... 7
4.1. Information System Security Controls Implementation Planning ............................................. 7
4.1.1. Physical Security ....................................................................................................................... 8
4.1.2. Access Control .......................................................................................................................... 8
4.1.3. Website Data Security ............................................................................................................... 8
4.1.4. Mobile and Cloud Service ......................................................................................................... 8
4.1.5. Reliable Communication ........................................................................................................... 8
4.1.6. System Development and Maintenance .................................................................................... 8
4.2. Business Continuity Planning ................................................................................................... 8
4.2.1. Contingency Plans ..................................................................................................................... 8
5. Implementation Management .................................................................................................... 8
5.1. Proposed Timeline/Execution ................................................................................................... 8
5.2. Budget ....................................................................................................................................... 9
6. Risk Management ...................................................................................................................... 9
6.1. Risk Identification ..................................................................................................................... 9
6.2. Risk Assessment ........................................................................................................................ 9
6.3. Analysis, Classification, and Prioritization ............................................................................... 9
6.4. Mitigation Planning, Implementation, and Monitoring ............................................................. 9
6.5. Risk Tracking ............................................................................................................................ 9
6.6. Risk Types (data driven, business driven, and event driven) .................................................... 9
7. Applicable Laws or Regulations Affecting the System............................................................. 9
8. Analysis and Recommendation ............................................................................................... 10
8.1. Key Findings ........................................................................................................................... 10
8.2. Conclusion and Future Work .................................................................................................. 10
9. Information System Security Plan Completion Date .............................................................. 10
10. Information System Security Plan Approval Date .................................................................. 11
References ............................................................................................................................................... 12
Executive Summary
The Information Systems Security Plan (ISSP) is a plan to provide sufficient but cost-effective
cyber security for Whiptail Network, Inc. information systems. Input from stakeholders
including management, information owners, and information system operators was collected for
development of this plan. The system security plan delineates responsibilities and expected
behavior of all individuals who access the system.
The purpose of this security plan is to provide an overview of the security of the Whiptail
Networks system and describe the controls and critical elements in place or planned for, based on
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,
Recommended Security Controls for Federal Information Systems. This ISSP follows guidance
contained in NIST SP 800-18, Guide for Developing Security Plans for Federal Information
Systems.
This ISSP provides an overview of the security requirements for the Whiptail Networks system
and describes the controls in place or planned for implementation to provide a level of security
appropriate for the information processed as of the date indicated in the approval page.
1. Company Summary
Whiptail Networks designs, develops, and sells products and professional services that allow
customers to build robust enterprise scale networks capable of handling the demands of
today’s bandwidth hungry devices and applications. Since our founding in 2013, our mission
has been to “simplify networking complexities through the use of innovative ideas and
superior versatility”. Our first product was made generally available in 2015 and focused on
medium sized organizations. Since then, we have become a publicly traded company and
expanded our product portfolio to include the small office home office (SOHO) market all
the way up to Fortune 500 companies. Whiptail Network’s vision of the future builds upon
our existing products to enable customers to operate their business networks as efficiently
and seamlessly as possible.
2. Information System Identification, Classification, and Status
The first step in development of an ISSP is to identify and classify organization information
system(s) according to Federal Information Processing Standards Publication (FIPS)
Publication 199, Standards for Security Categorization of Federal Information and
Information Systems (NIST, 2006).
2.1. Identification
System Name Whiptail Networks Information
System
Page | 1
2.2. Classification
Identify the appropriate FIPS 199 categorization based on the types of information
handled by the system. Use Table 1 as reference for determining the appropriate impact
levels.
FIPS 199 Guide for Developing Security Plans for Federal Information Systems
POTENTIAL IMPACT
Availability The disruption of access The disruption of access The disruption of access
to or use of information or to or use of information or to or use of information or
Ensuring timely and
an information system an information system an information system
reliable access to and use
could be expected to have could be expected to have could be expected to have
of information.
a limited adverse effect a serious adverse effect a severe or
[44 U.S.C., SEC. 3542] on organizational on organizational catastrophic adverse
operations, organizational operations, organizational effect on organizational
assets, or individuals. assets, or individuals. operations, organizational
assets, or individuals.
Page | 2
Information Type Confidentiality Integrity Availability
(HIGH/MOD/LOW) (HIGH/MOD/LOW) (HIGH/MOD/LOW)
Confidentiality X
Integrity X
Availability X
2.3. Status
Indicate the operational status of the system.
3. Management
This section describes key roles and their responsibilities, in addition to the various forms of
management necessary to the ISSP including planning, implementation, risk assessment,
human resources, and cost management.
3.1. Roles and Responsibilities
3.1.1. Chief Information Officer
The Chief Information Officer (CIO) is responsible for developing and
maintaining Whiptail Network’s organization-wide information security program.
The CIO responsibilities include (NIST, 2006):
Designating a senior agency information security officer (SAISO)
Page | 3
Developing and maintaining information security policies, procedures, and
control capabilities that focus on system security planning
Managing selection, implementation, and assessment of security controls
Ensuring personnel with ISSP responsibilities are adequately trained
Assisting Whiptail Network executives with their ISSP responsibilities
3.1.2. Information System Owner
The information system owner is responsible for the procurement, development,
integration, modification, or operation and maintenance of the information
system. The information system owner responsibilities include (NIST, 2006):
Developing the ISSP with the help of information owners, the system
administrator, the information system security officer, the SAISO, and end
users
Maintaining the ISSP and ensuring the system is deployed and operated
according to plan requirements
Ensuring system users and support personnel receive adequate security
training
Updating the ISSP when changes warrant
Assisting in the selection, implementation, and assessment of security
controls
Title
Organization/Division
Address
Phone #1
Phone #2
Signature
Date
Page | 4
3.1.3. Information Owner
The information owner is responsible for establishing the controls for information
generation, collection, processing, dissemination, and disposal. The information
owner responsibilities include (NIST, 2006):
Establishing the rules for appropriate use and protection of applicable
information
Providing input to information system owners with respect to information
security requirements and security controls for any information system
where applicable information resides
Deciding access control and user privileges for the information system
Assisting in the selection and assessment of security controls where
applicable
3.1.4. Senior Agency Information Security Officer (SAISO)
The senior agency information security officer is responsible for serving as the
CIO’s primary liaison to information system owners and information system
security officers. SAISO responsibilities include (NIST, 2006):
Fulfilling the CIO’s responsibilities for system security planning
Coordinating the development, review, and acceptance of the ISSP with
information system owners, information system security officers, and the
authorizing official
Coordinating the selection, implementation, and assessment of security
controls
Retaining professional training and experience necessary to develop and
review ISSPs
Page | 5
Name, title, address, email address, and phone number of person who is
responsible for the security of the system.
Name
Title
Organization/Division
Address
Phone #1
Phone #2
Signature
Date
Page | 6
Denying and/or rescind authorizations to operate information systems if
risk to the organization is too great
Senior management official designated as the authorizing official.
Title
Organization/Division
Address
Phone #1
Phone #2
Signature
Date
Page | 7
4.1.1. Physical Security
Subsection devoted to physical security control planning.
4.1.2. Access Control
Subsection devoted to access control planning.
4.1.3. Website Data Security
Subsection devoted to website data security control planning.
4.1.4. Mobile and Cloud Service
Subsection devoted to mobile and cloud service security control planning.
4.1.5. Reliable Communication
Subsection devoted to communication resiliency security control planning.
4.1.6. System Development and Maintenance
Subsection devoted to system development and maintenance security control
planning.
4.2. Business Continuity Planning
Business continuity planning consists of performing a business impact analysis to
identify critical business functions, determine what is needed to recover each of the
identified functions, develop a business continuity plan (BCP) for reference during a
disruption, and periodically testing the effectiveness of the plan by performing tabletop
or mock exercises (Department of Homeland Security, n.d.).
Business continuity plans consist of the BCP, contingency plans, and disaster recovery
plans, all separate documents that are mentioned in this ISSP to capture the creation of
them as a requirement.
4.2.1. Contingency Plans
A contingency plan is a course of action the organization would take if a situation
occurs (Britton, 2016). Organizations often have multiple contingency plans, each
one focused on specific situations with a unique sequence of actions. Contingency
plans should cover natural disasters such as earthquakes, fire, or floods,
equipment failures including power outages, and manmade events such as data
breaches, human error, and equipment misconfiguration.
5. Implementation Management
This section describes the implementation management requirements with respect to
scheduling and budget.
5.1. Proposed Timeline/Execution
This subsection proposes an ISSP schedule from development to completion.
Page | 8
5.2. Budget
This subsection of the ISSP describes cost management, such as ways to reduce
operational costs, the cost of security overall, planned costs, potential costs, and how
costs compare with similar organizations within the industry.
6. Risk Management
This section of the ISSP describes risk management including risk identification, assessment,
prioritization, classification, mitigation, tracking, and types of risk.
6.1. Risk Identification
Subsection devoted to risk identification.
6.2. Risk Assessment
Subsection devoted to the assessment of identified risks.
6.3. Analysis, Classification, and Prioritization
Subsection devoted to analysis, classification, and prioritization of identified risks.
6.4. Mitigation Planning, Implementation, and Monitoring
Subsection devoted to risk mitigation planning, implementation, and monitoring.
6.5. Risk Tracking
Subsection devoted to risk tracking.
6.6. Risk Types (data driven, business driven, and event driven)
Subsection devoted to the different types of risk.
7. Applicable Laws or Regulations Affecting the System
The following is a list of laws, regulations, and regulatory guidance that the Whiptail
Networks information system complies with.
Sarbanes-Oxley (SOX) Act of 2002
A law that came about due to the fraudulent activities of Enron and WorldCom. SOX
ensures accurate and reliable corporate disclosures with respect to corporate
accounting, bans illegal loans to executives, and protects whistleblowers.
SOX requires security policies and annual testing of security controls implemented as
a result of this ISSP (Johnson, 2015).
Computer Fraud and Abuse Act of 1986
Whiptail Networks computers with Internet connectivity have inter-state
communication capabilities and therefore fall under the jurisdiction of this law, which
prohibits unauthorized access, privilege escalation, and damage to protected
computers (Freeman, 2017).
FIPS 199 – Standards for Security Categorization of Federal Information and
Information Systems, February 2004
Page | 9
NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal
Information Systems, February 2006
NIST SP 800-30 Rev. 1 – Risk Management Guide for Information Technology
Systems, September 2012
NIST SP 800-34 Rev. 1 – Contingency Planning Guide for Information Technology
Systems, May 2010
NIST SP 800-53 Rev. 4 – Security and Privacy Controls for Federal Information
Systems and Organizations, April 2013
NIST SP 800-60 Rev. 1 – Volume I & II Guide for Mapping Types of Information
and Information Systems to Security Categories
8. Analysis and Recommendation
8.1. Key Findings
The ISSP must layout who is responsible for all parts of the plan, from initiating,
developing, and implementing to reviewing, maintaining, and completing.
All types of information transmitted and stored within the information system
need proper categorization in order to select appropriate security controls that
will mitigate risk to levels deemed acceptable to the organization.
Identification of risk is equally important to identification of information. Failure
to properly assess, analyze, and prioritize risk will also result in inappropriate
security controls.
Improperly prioritized risk could cause substantial resource expenditures on
solutions that don’t mitigate risk efficiently if at all.
A suitable configuration change management system is necessary to keep track
of information system changes, which may warrant updates to the ISSP.
8.2. Conclusion and Future Work
This ISSP briefly describes the organization it is developed for, Whiptail Networks. It
goes on to identify information system(s) and their categorizations, key ISSP roles and
their responsibilities, and a description of minimum security controls necessary to
reduce risk to acceptable levels. Development and implementation of an ISSP requires a
great deal of planning, including a business continuity strategy, estimated costs, risk
assessments, and implementation details. The ISSP culminates in a list of applicable
laws and regulations the information system is subject to.
This ISSP is a living document that will be updated periodically to incorporate new
and/or modified security controls. The plan will be revised as the changes occur to the
system, the data, or the technical environment in which the system operates.
9. Information System Security Plan Completion Date
Enter the completion date of the plan.
Date: __________________________
Page | 10
10. Information System Security Plan Approval Date
Enter the date the system security plan was approved and indicate if the approval documentation
is attached or on file.
Date: __________________________
Page | 11
References
National Institute of Standards and Technology. (2006) Guide for Developing Security Plans for
Federal Information Systems (NIST SP 800-18 Rev 1).
Johnson, R. (2015) Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones
& Bartlett Learning.
Department of Homeland Security. (n.d.) Business Continuity Plan. Retrieved from
https://www.ready.gov/business/implementation/continuity
Britton, C. (2016) What is a Business Contingency Plan & How to Create One. Retrieved from
https://www.rockdovesolutions.com/blog/what-is-a-business-contingency-plan-how-to-create-
one
Freeman, J. (2017) The Computer Fraud and Abuse Act (CFAA). Retrieved from
https://www.freemanlaw-pllc.com/computer-fraud-abuse-act-cfaa/
Page | 12