Академический Документы
Профессиональный Документы
Культура Документы
Wayne Fischer
July 6, 2018
Professor Moore
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
Table of Contents
1. Company Summary ............................................................................................................................. 4
1.1 Purpose Statement ........................................................................................................................... 4
1.2 Enterprise Architecture ................................................................................................................... 5
2: Management.............................................................................................................................................. 6
2.1 Roles and Responsibilities .............................................................................................................. 7
3: Planning .................................................................................................................................................... 8
3.1 Information Security Implementation ............................................................................................. 8
3.2 Contingency Planning ..................................................................................................................... 8
3.3 Business Continuity Plan ................................................................................................................ 9
4: Implementation Management ................................................................................................................... 9
5: Risk Management ................................................................................................................................... 10
6: Cost Management ................................................................................................................................... 10
6.2 Reduce operational costs ............................................................................................................... 11
7: Analysis & Recommendation to Management ....................................................................................... 11
7.1 Key Elements ................................................................................................................................ 11
7.2 Conclusion and Future Work ........................................................................................................ 12
8: Student Assessment of ISSP to Cyber Management .............................................................................. 13
References ................................................................................................................................................... 15
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
Abstract
T-Shirt Barn Inc. is a fictitious company which utilizes modern information technology (IT) to
sell custom T-Shirts from an e-commerce website. This document provides an example of an Information
Systems Security Plan (ISSP) with an emphasis on cyber security and cyber security issues pertinent to
personnel, and authority, and contingency planning as well as risk management, legal issues, and roles
and responsibilities. There are seven major sections in this ISSP document, with the final eighth section
discussing how ISSP’s align to management’s interests. Not all subsections are populated from the
original template provided, and this should not be used as an authoritative ISSP document, but rather an
1. Company Summary
T-Shirt Barn Inc. is a privately held company which began operations in 1993 as a single store in
a local strip mall located in Bakersfield, California. Steven Barn began the business by selling comical t-
shirts working with his wife, Michelle Barn. Sales were successful enough that by 2003 the store grew
into a true small business with twenty full time staff and began selling custom t-shirts with T-Shirt Barn
Inc. logos and/or custom prints. The popularity of the Internet proved a lucrative opportunity to expand
business by offering an additional e-commerce option. Once this became available in 2005 the company
had numerous computerized point-of-sale (POS) registers, an online website and e-commerce site, as well
as various merchandise and inventory tracking systems. Today, in 2018, the company has fourteen full
time IT staff including an IT manager who perform all help desk, server maintenance, networking and
cyber security duties and approximately fifty employees who work in sales, marketing, supply, and
customer support.
Today Steven, now Chief Executive Officer, and his wife, now Chief Operating Officer have
grown concerned after their credit card processor, and banks have required increasing cyber protections
for their credit card systems. They are subject to numerous regulations such as the Payment Card Industry
Data Security Standard (PCI-DSS), state data privacy regulations and breach notifications. Additionally,
they have discussed with business colleagues and friends business impacting scenarios in which cyber
security incidents have occurred resulting in fines and operational impacts that significantly affected their
company profits. In order to address these concerns they have requested that the IT Manager revise and
formalize existing cyber security documentation and create a formal Information System Security Plan.
This Information System Security Plan (ISSP) has been created to address the specific threats,
and risks facing T-Shirt Barn Inc. It provides an overview of the existing enterprise architecture, planning
and implementation, a suggested management structure and organization of cyber staff, training and
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
education, business continuity planning and disaster recovery. It addresses cost and risk balancing and
suggestions to senior leadership as well as key points, which are critical to decreasing risks facing the
company. This is a plan, and it requires additional documentation to be created in the form of policies,
standards, and procedures as well as specific controls and programs which are outside the scope of this
ISSP. It is expected that this plan will be reviewed and revised and approved by senior management
The IT architecture description consists of physical servers including a public web server, DNS
server, and mail server located in a demilitarized zone (DMZ) which is protected by a firewall from the
Internet and connects to an Intranet firewall to access corporate databases and Intranet systems including
payroll and scheduling, supply, human resources, sales, and information technology. The internal servers
consist of an internal DNS server, Microsoft Active Directory servers, and POS and POS database servers
The IT Manager was an early adopter of the Information Technology Infrastructure Library
(ITIL) and has used this for their overall Enterprise Architecture for “aligning IT services with the needs
of the business” (ITIL. September 2014). The ITIL framework has worked well to address IT business
needs, however it lacks a formal ISSP model to use. The IT Manager practices some basic cyber security
principles but recognizes the need for more expertise and additional cyber security infrastructure. The IT
Manager and Management agree that using the National Institute of Standards and Technology (NIST)
Special Publication 800-18 (Swanson, Hash, Bowen, & NIST, 2006) to develop the ISSP is the best
All critical infrastructure items must be managed by change control management to prevent
outages and reduce configuration risks. Change management will be used during our projects to enhance
our infrastructure. These projects include adding Intrusion Detection and Intrusion Prevention Systems,
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
Security Incident Event Management (SIEM) system, and that devices be placed strategically between
Internet and DMZ zones, as well as between the DMZ and Intranet zones. Additionally, centrally
managed firewalls should be used to provide chokepoints between all networks. A comprehensive mail
security system should be added to provide email protection and prevent phishing and viruses from
arriving through email and Internet Proxies will be used to protect systems internally from accessing
The most critical aspect of the Enterprise Architecture is to introduce segregation for the point of
sale and credit card processing applications and databases so that they are on separate networks and
strictly managed to adhere to PCI-DSS standards and other regulatory requirements. Segregation and
segmentation on the internal network remains a critical missing aspect of architecture needed to protect T-
Shirt Barn from threats. Each network may be segregated based on the risk management approach
decided upon by management, however, it is recommended to segregate networks based on the type of
data and it’s sensitivity. For example, human resources may maintain a unique network as it is subject to
Personally Identifiable Information regulations, and PCI-DSS data to it’s own network.
2: Management
The CEO, COO, and IT Manager agree with the NIST publication’s suggestion that the ISSP
should address “key security-related documents for the information system such as a risk assessment, plan
of action and milestones, accreditation decision letter, privacy impact assessment, contingency plan,
configuration management plan, security configuration checklists, and system interconnection” (Swanson,
Hash, Bowen, & NIST, 2006, p. 1). An Information Security Governance committee will be created and
staffed by all areas of the company and headed by the COO. This committee will meet quarterly in order
to review progress of the implementation, evaluate risks, and ensure compliance across the company.
Leadership is in agreement that a formal Chief Information Officer (CIO) role is appropriate
given the size of the organization and the expectation of future growth. They have decided the IT
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
Manager will be promoted to CIO and be given company-wide authority to develop and manage IT
infrastructure, as well as developing and maintaining a cyber security program. It is suggested that a new
Chief Information Security Officer (CISO) role will be created and filled and given authority and
responsibility to report to the CIO and manage cyber security risks for the organization. The CIO is also
responsible for training and education for all IT operations. The CIO and CISO will be part of the
information security governance committee along with legal, human resources, sales, IT, and marketing.
The CEO will be ultimately responsible and own the cybersecurity program however it will be
managed by the CIO. We agree with authors that this demonstrates management’s commitment to and the
seriousness of the cyber security program to the company (Touhill & Touhill, 2014, p. 240). The CIO
shall be responsible for all information technology aspects and report to the CEO and COO. However, the
CIO will delegate cyber security and regulatory tasks to the CISO. The CISO is responsible for cyber
security tasks and managing cyber risks to the company. The CISO is also responsible for managing,
hiring, and retaining a trained staff of technical and regulatory experts. The CISO manages their own
budget and reports any risks, and recommendations from their team to the CIO, CEO, and COO and
ensures any security incidents which may impact business operations are reported immediately.
Information owners, and information system owners will are required to work with the CIO and CISO to
management, and cost management activities fall under the responsibility of the CIO. The COO will work
with the information security governance committee which shall grant authority and monitor
responsibilities and efforts related to information governance. The CISO is delegated responsibility by the
CIO and granted authority to create and manage their respective budgets, identify and report on risks,
work with human resources to create, and maintain policies relevant to information technology such as
acceptable use policies and background screening. The CISO will perform planning and implementation
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
activities through a project management specialist for any changes or new initiatives related to cyber
security measures. Supervisors are responsible for ensuring that they and their personnel are aware of
information governance changes and all personnel are responsible for complying with policies.
3: Planning
Planning and implementation includes addressing physical security, access control, website data
security, mobile and cloud services, timely integration of information, reliable communication, system
development and maintenance, contingency planning and business continuity planning. The Information
Security Governance Committee (ISGC) will coordinate planning of formalizing the implementation of a
formal information security program. Additionally, the ISGC will work to ensure that disaster recovery
planning (e.g. contingency planning) and business continuity plans are created and implemented.
The ISGC and CISO will oversee the review, creation and implementation of formal information
security policies, procedures and controls. The CISO will report progress to the ISGC. Following
identification of the greatest threats and risks to the company and its information systems, the CISO will
bring recommendations and provide cost estimates for mitigating, transferring, or avoiding threats. The
COO will ensure resources are available for critical operations in order to facility contingency and
Disaster recovery plans shall be created following the identification of likely threats to employees
and information systems. A Disaster Recovery Plan (DRP) will be developed and reviewed regularly by
the ISGC. The CIO and CISO will implement a DRP committee and ensure that all information systems
deemed critical or containing regulated or business sensitive information have contingency plans to
ensure the business operations may continue in the event a disaster risk is realized. The CIO and CISO
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
will also work to create a business continuity plan to address risks which may pose interruptions to
business operations.
It is recommended that the ISGC follow the recommendations by the Federal government
regarding the Business Continuity Plan (BCP) offered by the Department of Homeland Security
(Department of Homeland Security, n.d.). This includes performing a Business Impact Assessment (BIA),
identifying recovery strategies, developing a plan, and testing and exercising the plan. The BCP must be
reviewed and exercises practiced for critical operations at least annually. Supervisor shall require
employees who maintain IT systems to review their respective area and notify the CISO of changes to
Information systems prior to purchasing new systems or performing any changes which may affect the
BCP.
4: Implementation Management
Upon completion, and agreement of an initial implementation plan, addressing the most pressing
risks and threats to the company, the CISO, CIO, COO and leadership shall coordinate with project
managers to gradually implement information system security policies, coordinate communication and
education and ensure supervisors and all personnel are aware of the changes and reasons for the change. It
is expected that initial planning shall take one quarter and implementation of the first phase will occur in
the following quarter. Feedback and communication from staff will be reviewed monthly and each project
will be implemented following the project management plan to ensure that the ISSP is implemented by
the following year, within budget, and with employees educated on the purpose and processes to perform
5: Risk Management
The ISGC will work with functional managers to identify all risks facing the business. In order to
identify risks, T-Shirt Barn Inc. will utilize a data driven risk-based approach in which the data is
classified and managed according to regulatory requirements including PCI-DSS, and personally
identifiable information (PII) privacy requirements as well as sensitive company information. The
business impact assessment will aide in identifying both data, categories of data, and systems hosting said
data in order to classify and assess the risks. Formal risk management models are available and will be
used to gauge the impact, and severity, as well as provide quantitative dollar values to risks and threats.
As part of the BIA, an analysis and prioritization based on regulatory requirements, data
sensitivity, and addressing the greatest threats and highest risks will be performed. Plans to mitigate and
implement protections to reduce risk will be recommended and implemented based on the ISGC and CEO
agreements. Risks shall be monitored, tracked, and reported quarterly to the ISGC. All cyber security
incidents which may require breach notifications or which are subject to regulatory requirements will be
confirmed to be valid and immediately be reported to the CISO, CIO, COO, and CEO. The BIA shall
6: Cost Management
Managing costs is an important aspect of implementing the ISSP. The C-Suite (CEO, COO,
CISO, and CIO) will review all spending and ensure that cost-benefit analysis are done to prevent over-
allocating resources. The goals of the ISSP are to reduce risks, and minimize catastrophic profit loss.
Specifically the type of losses which may occur in Information System or cyber realms by investing
processes, people, and technology strategically to minimize risk. The ISGC is tasked with identify the
best ways to reduce operation costs, minimize risks, and eliminate threats. Maintaining accurate tracking
of spending and performing analyses, such as, security return-on-investments (ROSI) analyses using
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
existing corporate tools and processes will ensure that corporate investments into cyber security will not
It is recommended that the ISGC review existing businesses cyber security investments to
determine what are likely and reasonable investments. All projects exceeding five percent of their
originally allocated budget will be subject to a review the C-Suite. As an incentive to meet deadlines and
reduce costs, all projects which complete under budget while providing or exceeding the originally
desired risk reduction thresholds shall be paid out in bonuses to all personnel involved in the project. This
tactic is anticipated to help meet goals of projects, in a timely manner, and prevent cost overruns.
As part of this final ISSP analysis, the following recommendations below are made to the CEO,
COO, and functional managers. The key elements are the minimum suggestions and build upon one
another to address risks and threats toward T-Shirt Barn Inc. and it’s continued viability. The conclusions
and future work areas provide the capstone and reiterate the importance of the information system
security plan. It’s important to note that this plan addresses the high-level review, management,
implementation, and risks facing the company and additional work must be done to perform specific steps
such as implementing physical, administrative, and technical controls in order to empower the ISSP.
1. A formal organizational hierarchy should be created and led by a CIO, CISO, and ISGC.
2. Roles and responsibilities should be defined in corporate policy documents, and subsequent
3. Education and training must occur to ensure employees understand the purpose and know their
4. Planning should begin immediately and ensure that investments to protect critical business
operations and prevent disasters from crippling the business or endangering human life are
5. The company will utilize a data derived risk-based approach by categorizing and classifying data
and implementing policies and applying controls based on the regulatory, sensitivity, and value of
data.
6. Cost is a critical factor as investments are being made to help the company grow and so strategic
investments must be scrutinized heavily to ensure the best return on investment (ROI) is realized.
T-Shirt Barn has been fortunate by not having fully realized risks posed to its viability through
any serious cyber security or information system threats, yet. There is significant work to do and
understanding the full scope of the risks requires our leaders to acknowledge, as shared in Cybersecurity
for Executives, that “one of [our] primary responsibilities is to manage risk to protect [our] business and
create an environment for it to grow and thrive” (Touhill & Touhill, 2014, p. 91). This information system
security plan will begin the journey to reducing our risk and protecting our customers, clients,
Additional work includes quantifying our risks, identifying and protecting all systems and data
critical to our operations, ensuring we have redundancies for critical operations, and reviewing our
progress. It’s important that we continually review, revise, and report on the efficiency, costs, and
effectiveness of our information security program. Future work will require gathering metrics and
creating measures to ensure we are meeting this critical goal. As our information security processes
mature, we will explore moving non-critical infrastructure to cloud service providers to decrease costs
providing risks may be mitigated appropriately and additional high risks are not introduced.
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
The ISSP provides good insight into the introduction and formalization of cyber security for an
organization. It allows senior managers to be able to assess and understand the risks posed to their
companies in an executive summary style presentation. Executives who wish to dig deeper may reference
specific sections of the ISSP. I found utilizing the ISSP as a learning mechanism and augmenting the
concepts and methods available to cyber professionals with classic management theories and how they
We are able to identify and address conflicts between business and cyber. The lecture materials
combine with the ISSP provided tactics for working through inevitable conflicts. The value in the material
provided for addressing conflicts will prove useful when faced with management who believe compliance
and checklist security is the best way to reduce risk. Compliance and audits are an important component,
but do not always provide the best business risk mitigation strategies; rather they are a baseline or
minimum. By demonstrating to other leaders that realizing risks not addressed by compliance-based cyber
Other critical areas addressed by the ISSP include the inclusion of a comprehensive business
continuity plan and disaster recovery. These are often overlooked by businesses unless regulations force
review, and in those scenarios often only the regulated data is often included in a BCP/DR. This is likely
because BCP and DR are often considered expensive and cyber investments are often considered sunk
costs. Thus, many companies shy away from investigating other cyber activities. The ISSP methodology
wisely incorporates cost and benefit analysis methods as well as cost management and allows us to
explore ways of measuring risk and quantifying it to provide to leadership so they can make business
decisions.
Finally, the ISSP provides a comprehensive plan with regards to people, organizational structure,
roles and responsibilities, and procurement and resource allocation. It ensures that a reasonable staff
structure is created and that responsibilities and roles are defined. It reminds us that all personnel need
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
cyber training and awareness. It also, addresses communication strategies and allows us create a
framework to communicate cyber issues quickly in an organization. This last point is particularly
important when discussing incident response, as well as procurement and resource allocation which
Procurement and resource allocation is critical as resources are finite and often functional groups
often compete for them, including cyber. We are reminded by cyber experts, “Cyber security is not an IT
problem” (Lannarelli & O'Shaughnessy, 2015). The ISSP provides a framework for a plan to ensure that a
balance between resources is sought and that careful consideration is performed before procurement of
hardware or software to address risk. Finally, the ISSP reminds us to be sure to address laws, regulations,
policies and legal issues and incorporate them into a plan. Inevitably legal issues will arise when cyber
(often mixed with compliance, breach notifications, and incident response) is discussed. It’s important to
put any issues which may arise into policy so that when they do, there is already a plan to address them.
The ISSP is not a perfect solution, but I feel it is a great starting point for organizations lacking a formal
cybersecurity plan.
T-SHIRT BARN INFORMATION SYSTEMS SECURITY PLAN
References
Department of Homeland Security. (n.d.). Business Continuity Plan. Retrieved July 6, 2018, from
Ready.gov: https://www.ready.gov/business/implementation/continuity
INITIATIVE, J. T. (2010). Guide for Applying the Risk Management Framework to Federal Information
https://en.wikipedia.org/wiki/ITIL
Lannarelli, G. J., & O'Shaughnessy, M. (2015). Information Governance and Security. Amsterdam:
Elsevier.
Swanson, M., Hash, J., Bowen, P., & NIST. (2006, February). Guide for Developing Security Plans for
https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for executives: A practical guide. Hoboken: Wiley.