Running head: T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

T-Shirt Barn Inc.

Wayne Fischer

Management and Cybersecurity

CSOL 550, Summer 2018

July 6, 2018

Professor Moore
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

Table of Contents
1. Company Summary ............................................................................................................................. 4
1.1 Purpose Statement ........................................................................................................................... 4
1.2 Enterprise Architecture ................................................................................................................... 5
2: Management.............................................................................................................................................. 6
2.1 Roles and Responsibilities .............................................................................................................. 7
3: Planning .................................................................................................................................................... 8
3.1 Information Security Implementation ............................................................................................. 8
3.2 Contingency Planning ..................................................................................................................... 8
3.3 Business Continuity Plan ................................................................................................................ 9
4: Implementation Management ................................................................................................................... 9
5: Risk Management ................................................................................................................................... 10
6: Cost Management ................................................................................................................................... 10
6.2 Reduce operational costs ............................................................................................................... 11
7: Analysis & Recommendation to Management ....................................................................................... 11
7.1 Key Elements ................................................................................................................................ 11
7.2 Conclusion and Future Work ........................................................................................................ 12
8: Student Assessment of ISSP to Cyber Management .............................................................................. 13
References ................................................................................................................................................... 15
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

Abstract

T-Shirt Barn Inc. is a fictitious company which utilizes modern information technology (IT) to

sell custom T-Shirts from an e-commerce website. This document provides an example of an Information

Systems Security Plan (ISSP) with an emphasis on cyber security and cyber security issues pertinent to

similar organizations. It addresses the organization of information security policies, infrastructure,

personnel, and authority, and contingency planning as well as risk management, legal issues, and roles

and responsibilities. There are seven major sections in this ISSP document, with the final eighth section

discussing how ISSP’s align to management’s interests. Not all subsections are populated from the

original template provided, and this should not be used as an authoritative ISSP document, but rather an

example of how a company may begin writing and using an ISSP.

T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

1. Company Summary

T-Shirt Barn Inc. is a privately held company which began operations in 1993 as a single store in

a local strip mall located in Bakersfield, California. Steven Barn began the business by selling comical t-

shirts working with his wife, Michelle Barn. Sales were successful enough that by 2003 the store grew

into a true small business with twenty full time staff and began selling custom t-shirts with T-Shirt Barn

Inc. logos and/or custom prints. The popularity of the Internet proved a lucrative opportunity to expand

business by offering an additional e-commerce option. Once this became available in 2005 the company

had numerous computerized point-of-sale (POS) registers, an online website and e-commerce site, as well

as various merchandise and inventory tracking systems. Today, in 2018, the company has fourteen full

time IT staff including an IT manager who perform all help desk, server maintenance, networking and

cyber security duties and approximately fifty employees who work in sales, marketing, supply, and

customer support.

Today Steven, now Chief Executive Officer, and his wife, now Chief Operating Officer have

grown concerned after their credit card processor, and banks have required increasing cyber protections

for their credit card systems. They are subject to numerous regulations such as the Payment Card Industry

Data Security Standard (PCI-DSS), state data privacy regulations and breach notifications. Additionally,

they have discussed with business colleagues and friends business impacting scenarios in which cyber

security incidents have occurred resulting in fines and operational impacts that significantly affected their

company profits. In order to address these concerns they have requested that the IT Manager revise and

formalize existing cyber security documentation and create a formal Information System Security Plan.

1.1 Purpose Statement

This Information System Security Plan (ISSP) has been created to address the specific threats,

and risks facing T-Shirt Barn Inc. It provides an overview of the existing enterprise architecture, planning

and implementation, a suggested management structure and organization of cyber staff, training and
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

education, business continuity planning and disaster recovery. It addresses cost and risk balancing and

suggestions to senior leadership as well as key points, which are critical to decreasing risks facing the

company. This is a plan, and it requires additional documentation to be created in the form of policies,

standards, and procedures as well as specific controls and programs which are outside the scope of this

ISSP. It is expected that this plan will be reviewed and revised and approved by senior management

before implementation and reviewed by all key stakeholders in the company.

1.2 Enterprise Architecture

The IT architecture description consists of physical servers including a public web server, DNS

server, and mail server located in a demilitarized zone (DMZ) which is protected by a firewall from the

Internet and connects to an Intranet firewall to access corporate databases and Intranet systems including

payroll and scheduling, supply, human resources, sales, and information technology. The internal servers

consist of an internal DNS server, Microsoft Active Directory servers, and POS and POS database servers

as well as Microsoft Windows 7 workstations.

The IT Manager was an early adopter of the Information Technology Infrastructure Library

(ITIL) and has used this for their overall Enterprise Architecture for “aligning IT services with the needs

of the business” (ITIL. September 2014). The ITIL framework has worked well to address IT business

needs, however it lacks a formal ISSP model to use. The IT Manager practices some basic cyber security

principles but recognizes the need for more expertise and additional cyber security infrastructure. The IT

Manager and Management agree that using the National Institute of Standards and Technology (NIST)

Special Publication 800-18 (Swanson, Hash, Bowen, & NIST, 2006) to develop the ISSP is the best

approach given the cost of other frameworks.

All critical infrastructure items must be managed by change control management to prevent

outages and reduce configuration risks. Change management will be used during our projects to enhance

our infrastructure. These projects include adding Intrusion Detection and Intrusion Prevention Systems,
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

Security Incident Event Management (SIEM) system, and that devices be placed strategically between

Internet and DMZ zones, as well as between the DMZ and Intranet zones. Additionally, centrally

managed firewalls should be used to provide chokepoints between all networks. A comprehensive mail

security system should be added to provide email protection and prevent phishing and viruses from

arriving through email and Internet Proxies will be used to protect systems internally from accessing

known malicious or potentially malicious web sites.

The most critical aspect of the Enterprise Architecture is to introduce segregation for the point of

sale and credit card processing applications and databases so that they are on separate networks and

strictly managed to adhere to PCI-DSS standards and other regulatory requirements. Segregation and

segmentation on the internal network remains a critical missing aspect of architecture needed to protect T-

Shirt Barn from threats. Each network may be segregated based on the risk management approach

decided upon by management, however, it is recommended to segregate networks based on the type of

data and it’s sensitivity. For example, human resources may maintain a unique network as it is subject to

Personally Identifiable Information regulations, and PCI-DSS data to it’s own network.

2: Management

The CEO, COO, and IT Manager agree with the NIST publication’s suggestion that the ISSP

should address “key security-related documents for the information system such as a risk assessment, plan

of action and milestones, accreditation decision letter, privacy impact assessment, contingency plan,

configuration management plan, security configuration checklists, and system interconnection” (Swanson,

Hash, Bowen, & NIST, 2006, p. 1). An Information Security Governance committee will be created and

staffed by all areas of the company and headed by the COO. This committee will meet quarterly in order

to review progress of the implementation, evaluate risks, and ensure compliance across the company.

Leadership is in agreement that a formal Chief Information Officer (CIO) role is appropriate

given the size of the organization and the expectation of future growth. They have decided the IT
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

Manager will be promoted to CIO and be given company-wide authority to develop and manage IT

infrastructure, as well as developing and maintaining a cyber security program. It is suggested that a new

Chief Information Security Officer (CISO) role will be created and filled and given authority and

responsibility to report to the CIO and manage cyber security risks for the organization. The CIO is also

responsible for training and education for all IT operations. The CIO and CISO will be part of the

information security governance committee along with legal, human resources, sales, IT, and marketing.

2.1 Roles and Responsibilities

The CEO will be ultimately responsible and own the cybersecurity program however it will be

managed by the CIO. We agree with authors that this demonstrates management’s commitment to and the

seriousness of the cyber security program to the company (Touhill & Touhill, 2014, p. 240). The CIO

shall be responsible for all information technology aspects and report to the CEO and COO. However, the

CIO will delegate cyber security and regulatory tasks to the CISO. The CISO is responsible for cyber

security tasks and managing cyber risks to the company. The CISO is also responsible for managing,

hiring, and retaining a trained staff of technical and regulatory experts. The CISO manages their own

budget and reports any risks, and recommendations from their team to the CIO, CEO, and COO and

ensures any security incidents which may impact business operations are reported immediately.

Information owners, and information system owners will are required to work with the CIO and CISO to

ensure policies are followed upon implementation.

Planning management, implementation management, risk management, human resources

management, and cost management activities fall under the responsibility of the CIO. The COO will work

with the information security governance committee which shall grant authority and monitor

responsibilities and efforts related to information governance. The CISO is delegated responsibility by the

CIO and granted authority to create and manage their respective budgets, identify and report on risks,

work with human resources to create, and maintain policies relevant to information technology such as

acceptable use policies and background screening. The CISO will perform planning and implementation
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

activities through a project management specialist for any changes or new initiatives related to cyber

security measures. Supervisors are responsible for ensuring that they and their personnel are aware of

information governance changes and all personnel are responsible for complying with policies.

3: Planning

Planning and implementation includes addressing physical security, access control, website data

security, mobile and cloud services, timely integration of information, reliable communication, system

development and maintenance, contingency planning and business continuity planning. The Information

Security Governance Committee (ISGC) will coordinate planning of formalizing the implementation of a

formal information security program. Additionally, the ISGC will work to ensure that disaster recovery

planning (e.g. contingency planning) and business continuity plans are created and implemented.

3.1 Information Security Implementation

The ISGC and CISO will oversee the review, creation and implementation of formal information

security policies, procedures and controls. The CISO will report progress to the ISGC. Following

identification of the greatest threats and risks to the company and its information systems, the CISO will

bring recommendations and provide cost estimates for mitigating, transferring, or avoiding threats. The

COO will ensure resources are available for critical operations in order to facility contingency and

business continuity plans.

3.2 Contingency Planning

Disaster recovery plans shall be created following the identification of likely threats to employees

and information systems. A Disaster Recovery Plan (DRP) will be developed and reviewed regularly by

the ISGC. The CIO and CISO will implement a DRP committee and ensure that all information systems

deemed critical or containing regulated or business sensitive information have contingency plans to

ensure the business operations may continue in the event a disaster risk is realized. The CIO and CISO
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

will also work to create a business continuity plan to address risks which may pose interruptions to

business operations.

3.3 Business Continuity Plan

It is recommended that the ISGC follow the recommendations by the Federal government

regarding the Business Continuity Plan (BCP) offered by the Department of Homeland Security

(Department of Homeland Security, n.d.). This includes performing a Business Impact Assessment (BIA),

identifying recovery strategies, developing a plan, and testing and exercising the plan. The BCP must be

reviewed and exercises practiced for critical operations at least annually. Supervisor shall require

employees who maintain IT systems to review their respective area and notify the CISO of changes to

Information systems prior to purchasing new systems or performing any changes which may affect the

BCP.

4: Implementation Management

Upon completion, and agreement of an initial implementation plan, addressing the most pressing

risks and threats to the company, the CISO, CIO, COO and leadership shall coordinate with project

managers to gradually implement information system security policies, coordinate communication and

education and ensure supervisors and all personnel are aware of the changes and reasons for the change. It

is expected that initial planning shall take one quarter and implementation of the first phase will occur in

the following quarter. Feedback and communication from staff will be reviewed monthly and each project

will be implemented following the project management plan to ensure that the ISSP is implemented by

the following year, within budget, and with employees educated on the purpose and processes to perform

as well as their responsibilities.

T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

5: Risk Management

The ISGC will work with functional managers to identify all risks facing the business. In order to

identify risks, T-Shirt Barn Inc. will utilize a data driven risk-based approach in which the data is

classified and managed according to regulatory requirements including PCI-DSS, and personally

identifiable information (PII) privacy requirements as well as sensitive company information. The

business impact assessment will aide in identifying both data, categories of data, and systems hosting said

data in order to classify and assess the risks. Formal risk management models are available and will be

used to gauge the impact, and severity, as well as provide quantitative dollar values to risks and threats.

As part of the BIA, an analysis and prioritization based on regulatory requirements, data

sensitivity, and addressing the greatest threats and highest risks will be performed. Plans to mitigate and

implement protections to reduce risk will be recommended and implemented based on the ISGC and CEO

agreements. Risks shall be monitored, tracked, and reported quarterly to the ISGC. All cyber security

incidents which may require breach notifications or which are subject to regulatory requirements will be

confirmed to be valid and immediately be reported to the CISO, CIO, COO, and CEO. The BIA shall

include quantitative dollar values to provide to the C-Suite

6: Cost Management

Managing costs is an important aspect of implementing the ISSP. The C-Suite (CEO, COO,

CISO, and CIO) will review all spending and ensure that cost-benefit analysis are done to prevent over-

allocating resources. The goals of the ISSP are to reduce risks, and minimize catastrophic profit loss.

Specifically the type of losses which may occur in Information System or cyber realms by investing

processes, people, and technology strategically to minimize risk. The ISGC is tasked with identify the

best ways to reduce operation costs, minimize risks, and eliminate threats. Maintaining accurate tracking

of spending and performing analyses, such as, security return-on-investments (ROSI) analyses using
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

existing corporate tools and processes will ensure that corporate investments into cyber security will not

exceed their benefits to the company.

6.2 Reduce operational costs

It is recommended that the ISGC review existing businesses cyber security investments to

determine what are likely and reasonable investments. All projects exceeding five percent of their

originally allocated budget will be subject to a review the C-Suite. As an incentive to meet deadlines and

reduce costs, all projects which complete under budget while providing or exceeding the originally

desired risk reduction thresholds shall be paid out in bonuses to all personnel involved in the project. This

tactic is anticipated to help meet goals of projects, in a timely manner, and prevent cost overruns.

7: Analysis & Recommendation to Management

As part of this final ISSP analysis, the following recommendations below are made to the CEO,

COO, and functional managers. The key elements are the minimum suggestions and build upon one

another to address risks and threats toward T-Shirt Barn Inc. and it’s continued viability. The conclusions

and future work areas provide the capstone and reiterate the importance of the information system

security plan. It’s important to note that this plan addresses the high-level review, management,

implementation, and risks facing the company and additional work must be done to perform specific steps

such as implementing physical, administrative, and technical controls in order to empower the ISSP.

7.1 Key Elements

1. A formal organizational hierarchy should be created and led by a CIO, CISO, and ISGC.

2. Roles and responsibilities should be defined in corporate policy documents, and subsequent

procedures, policies, and guidelines communicated to all employees.

3. Education and training must occur to ensure employees understand the purpose and know their

responsibilities in meeting the new policies.

T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

4. Planning should begin immediately and ensure that investments to protect critical business

operations and prevent disasters from crippling the business or endangering human life are

performed first to address either natural or man-made risks.

5. The company will utilize a data derived risk-based approach by categorizing and classifying data

and implementing policies and applying controls based on the regulatory, sensitivity, and value of

data.

6. Cost is a critical factor as investments are being made to help the company grow and so strategic

investments must be scrutinized heavily to ensure the best return on investment (ROI) is realized.

7.2 Conclusion and Future Work

T-Shirt Barn has been fortunate by not having fully realized risks posed to its viability through

any serious cyber security or information system threats, yet. There is significant work to do and

understanding the full scope of the risks requires our leaders to acknowledge, as shared in Cybersecurity

for Executives, that “one of [our] primary responsibilities is to manage risk to protect [our] business and

create an environment for it to grow and thrive” (Touhill & Touhill, 2014, p. 91). This information system

security plan will begin the journey to reducing our risk and protecting our customers, clients,

stakeholders and brand.

Additional work includes quantifying our risks, identifying and protecting all systems and data

critical to our operations, ensuring we have redundancies for critical operations, and reviewing our

progress. It’s important that we continually review, revise, and report on the efficiency, costs, and

effectiveness of our information security program. Future work will require gathering metrics and

creating measures to ensure we are meeting this critical goal. As our information security processes

mature, we will explore moving non-critical infrastructure to cloud service providers to decrease costs

providing risks may be mitigated appropriately and additional high risks are not introduced.
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

8: Student Assessment of ISSP to Cyber Management

The ISSP provides good insight into the introduction and formalization of cyber security for an

organization. It allows senior managers to be able to assess and understand the risks posed to their

companies in an executive summary style presentation. Executives who wish to dig deeper may reference

specific sections of the ISSP. I found utilizing the ISSP as a learning mechanism and augmenting the

concepts and methods available to cyber professionals with classic management theories and how they

apply to IT management gave a comprehensive approach to cyber management.

We are able to identify and address conflicts between business and cyber. The lecture materials

combine with the ISSP provided tactics for working through inevitable conflicts. The value in the material

provided for addressing conflicts will prove useful when faced with management who believe compliance

and checklist security is the best way to reduce risk. Compliance and audits are an important component,

but do not always provide the best business risk mitigation strategies; rather they are a baseline or

minimum. By demonstrating to other leaders that realizing risks not addressed by compliance-based cyber

security approach we can ensure we are not missing hidden threats.

Other critical areas addressed by the ISSP include the inclusion of a comprehensive business

continuity plan and disaster recovery. These are often overlooked by businesses unless regulations force

review, and in those scenarios often only the regulated data is often included in a BCP/DR. This is likely

because BCP and DR are often considered expensive and cyber investments are often considered sunk

costs. Thus, many companies shy away from investigating other cyber activities. The ISSP methodology

wisely incorporates cost and benefit analysis methods as well as cost management and allows us to

explore ways of measuring risk and quantifying it to provide to leadership so they can make business

decisions.

Finally, the ISSP provides a comprehensive plan with regards to people, organizational structure,

roles and responsibilities, and procurement and resource allocation. It ensures that a reasonable staff

structure is created and that responsibilities and roles are defined. It reminds us that all personnel need
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

cyber training and awareness. It also, addresses communication strategies and allows us create a

framework to communicate cyber issues quickly in an organization. This last point is particularly

important when discussing incident response, as well as procurement and resource allocation which

require solid communication chains.

Procurement and resource allocation is critical as resources are finite and often functional groups

often compete for them, including cyber. We are reminded by cyber experts, “Cyber security is not an IT

problem” (Lannarelli & O'Shaughnessy, 2015). The ISSP provides a framework for a plan to ensure that a

balance between resources is sought and that careful consideration is performed before procurement of

hardware or software to address risk. Finally, the ISSP reminds us to be sure to address laws, regulations,

policies and legal issues and incorporate them into a plan. Inevitably legal issues will arise when cyber

(often mixed with compliance, breach notifications, and incident response) is discussed. It’s important to

put any issues which may arise into policy so that when they do, there is already a plan to address them.

The ISSP is not a perfect solution, but I feel it is a great starting point for organizations lacking a formal

cybersecurity plan.
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN

References

Department of Homeland Security. (n.d.). Business Continuity Plan. Retrieved July 6, 2018, from

Ready.gov: https://www.ready.gov/business/implementation/continuity

INITIATIVE, J. T. (2010). Guide for Applying the Risk Management Framework to Federal Information

Systems. NSIT, 1-93.

ITIL. (2014, September). In Wikipedia. Retrieved July 6, 2018, from Wikipedia:

https://en.wikipedia.org/wiki/ITIL

Lannarelli, G. J., & O'Shaughnessy, M. (2015). Information Governance and Security. Amsterdam:

Elsevier.

Management, I. o. (2002). Systems Engineering Guide. 1-16.

Swanson, M., Hash, J., Bowen, P., & NIST. (2006, February). Guide for Developing Security Plans for

Federal Information Systems. Retrieved July 6, 2018, from

https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final

Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for executives: A practical guide. Hoboken: Wiley.