MICHAEL PATMON
  • Home
  • About
  • Cyber References
  • Cyber Security Fundamentals
  • Cryptography
  • Security Architecture
  • Risk Management
  • Management & Cyber Security
  • Secure Software Design
  • Network Visualization & Vulnerability Detection
  • Cyber Threat Intelligence
  • Incident Response & Computer Network Forensics
  • Operational Policy

Management & Cyber Security

Picture
The ISSP is a critical document that provides the framework for all of the supporting security standards, specifications, and plans for the organization.  Furthermore it requires the creation, review, and testing of specific documents, such as the information security standards and business contingency plans.  Without describing the implementation details it itemizes the minimum set of rules and responsibilities that must be upheld by everyone who interact with the company information systems and assets. 

I believe one of the most critical component of an ISSP is the risk assessment.  Risk profile and tolerance will have the most direct effect on the resources (i.e. cost) needed to protect company’s information assets.  By mandating that risk be evaluated, and evaluated on an ongoing basis, it ensures that the individuals and teams responsible for upholding the policies are doing so based on the current risks, conditions, and threats to the organization.  From a professional and ethical standpoint the ISSP also has to balance the business needs of the network along with the security needs.  Every dollar spent on cyber security must count as that is one dollar that could have been invested back into the business.  One must carefully examine the return on cyber security investments and prioritize accordingly. 

What follows is an abbreviated ISSP for a fictitious software company as a demonstration of security plan fundamentals.


ACME Information System Security Policy

Abstract
The ACME Information Security Policy provides a framework for the management of information security policy throughout the company and defines the set of minimum requirement that employees and third party contractors must comply with to protect the confidentiality, integrity, and authenticity of ACME information assets.  Cyber Security is ultimately responsible for keeping ACME and its information assets secure.  The policies described in this document must be upheld by supporting standards and specifications.  Note the following distinction between policies and standards (Bosworth, 2014):
  • A policy is the defined as the rules and regulations set by the organization and are focused on the desired results, not the means for achieving those results,
  • A standard refers to the specific technical choices for implementing a particular policy.

1.0  Company Summary

ACME Software is an industry leading application developer that specializes in business efficiency software.  Our suite of software allows companies of all sizes to grow and manage their business effectively whether locally hosted or cloud based.    

1.1  Enterprise Architecture

The ACME enterprise architecture has two major components which are supported by in-house resources.  The public facing external Web portal that serves both the product marketing and sales material as well as the customer support sites.  The internal architecture supports our GitHub based developer environment hosted on our private cloud.  Also supported on our internal data centers is our defect tracking and Business Intelligence (BI) systems.  The bulk of our remaining information technology (IT) services, including email, document storage, customer relations management (CRM), and human resources (HR) are outsourced. 

2.0  Management
      
2.1  Roles and Responsibilities
2.1.1  Chief Information Security Officer (CISO)
The CISO is the company individual with the overall responsibility of developing the information security standards that uphold the policies defined in this document.  The CISO manages the identification, implementation, and monitoring of information assets and controls.  The CISO must approve all security plans for information systems.  The CISO is also responsible for developing cyber security training for all employees of the organization, which must be reviewed and updated on a bi-yearly basis.   

2.1.2  Cyber Security

The Cyber Security team is the group of employees, led by the CISO, whose responsibility it is to develop and execute the standards and specifications that support the policies defined in this document.  This group is also responsible for the auditing and communication of ACME corporate asset status as well as developing and executing contingency and disaster recovery plans. 

2.1.3  Information System Owner

The information system owner is responsible for procurement, implementation, deployment, and monitoring of an individual information system.  The information system owner must create and verify a security plan before any information systems is deployed on the corporate network.  This individual must also contribute towards developing the continuity and disaster recovery plans for that system. 
2.1.4  Outsourced Service Coordinator
In the case of an outsourced service or managed system an Outsourced Service Coordinator (OCS) shall be designated to facilitate the management of that service.  The OCS shall be responsible to ensuring the service level agreement (SLA) with the contractor is upheld as well as coordinate any resources engagement or support services. 
2.1.5  End User
Everyone in the organization, including contractors, are end users of ACME information systems.  All users are responsible for upholding the policies specified in this document as well as reporting security incidents.  Misconduct or failure to comply with these policies may result in disciplinary action, up to and including termination of employment. 

2.2  Security Implementation Management

Cyber Security must develop the underlying standards and specifications that uphold the policies described in this document. 

2.3  Human Resource Management

Prior to employment adequate screening and background checks must be performed prior to employment to reduce the risk to information assets own by ACME.  Pre-employment requirements and guidelines for potential employees and contractors are the responsibility of the Human Resources (HR) group.  HR must also comply prospective employees and contractors to sign a non-disclosure agreement (NDA) prior to employment and should consult with legal counsel in the drafting of the NDA language.

Management, and in particular the direct reporting manager, has the responsibility to ensure that an ACME worker’s employment termination is managed properly.  Any ACME property must be returned and access rights removed.  This process should be given special attention as it is estimated that over half of fired employees steal important corporate data after departing (IBM, 2015).

2.4  Security Incident Management

Cyber Security must develop and maintain a process for cyber security incident response and any required reporting to external partners and authorities, such as law enforcement.  All ACME workers must report any suspected incidents to the Cyber Security immediately, and Cyber Security must maintain a facility that enables easy reporting of such issues. 

3.0  Risk Management

Risk management must identify and address both the technical and non-technical threats to ACME information assets.  The ACME Information Security Policy covers all information assets connected to the ACME corporate network and information transmitted to or from the ACME corporate network.  Cyber Security must establish standards for upholding this policy and for effective risk management. 

3.1  Risk Identification

3.1.1  Technical Risks
Intellectual property in the form of internally developed source code presents the highest risk to the ACME business.  Cyber Security must develop standard for ensuring the confidentiality, integrity, and authenticity of all source code.  All information systems, both internal and external facing, must be inventoried and processes established to ensure technical vulnerabilities are addressed.  Information assets in the form of company financial data, company email and documentation, defect tracking, and customer sensitive information must also be security from unauthorized access.

3.1.2  Non-technical Risks

Policies and training must be developed to protect against vulnerabilities caused by human factors.  One study by CompTIA noted that 52% of all breaches were the result of human error (CompTIA, 2015).  Cyber Security must develop cyber security training that all employees must complete on a bi-yearly basis.  Standards on the acceptable use of social media as it pertains to ACME company information must also be developed and reviewed on a bi-yearly basis.

3.2  Risk Assessment

A comprehensive risk assessment of all ACME information assets and systems shall be completed on a minimum yearly basis.  A cyber security risk assessment tool, such as the one published by the Federal Financial Institutions Examination Council, should be used to gauge whether best industry standard best practices are being followed. 

3.3  Risk Classification & Prioritization

To facilitate the creation of a Business Impact Analysis and Contingency Plan all ACME information systems must have their risk level and potential impact categorized according to FIPS 199 standards (National Institute of Standards and Technology, 2004), which is outlined as follows:
  • High – the unauthorized disclosure, modification, destruction, or interruption of information could be expected to have a severe or catastrophic adverse effect on the organization
  • Moderate - the unauthorized disclosure, modification, destruction, or interruption of information could be expected to have a serious adverse effect on the organization
  • Low - the unauthorized disclosure, modification, destruction, or interruption of information could be expected to have a limited adverse effect on the organization

3.4  Risk Tracking

Metrics must be developed to ensure tracking of security risks.  Business Intelligence systems shall be developed to facilitate the tracking and communication of all identified security risks.  Metrics should include not only risk factors such as the percentages of patched systems and employee training completion but also metrics that communicate the “health” of information assets and their availability.  Items including system response time and availability should be included as an additional risk factor and may also be used to indicate an issue or need to activate a contingency plan. 

4.0  Planning
- Information Security Implementation
4.1.1  Physical security

ACME Software’s main campus building must be secured from unauthorized access.  All employees must be provided a photo ID badge to be worn visibly at all times.  All employees will be granted access to the main doors.  Doors for more restricted areas such as, but not limited to, lab environments, maintenance areas, and wiring closets must be secured to those with a business reason to enter.  Access rights for all entrances must be reviewed on a bi-yearly basis.
Physical information assets must be properly secured, stored, and disposed of.  Hardcopy printouts containing confidential information must be properly disposed of.  Employee workstations such as laptops must have their hard drives sanitized upon being decommissioned. 

4.1.2  Access Control

Formal user registration processes must be implemented to enable assignment of access rights.  Each account must be assigned to a uniquely identifiable individual, including systems administrator accounts.  Management must establish access controls based on the “least privilege” and “need to know” security principles with a “deny all” as the default.  Access must be restricted to resources that are needed to perform job responsibilities.  Any system that stores, processes, or transmits ACME data must be secured from unauthorized access.  Access controls must be reviewed regularly, at least on a bi-yearly basis.

Users must authenticate into the ACME environment using a strong password.  Remote access authentication such as VPN will be performed through both two-factor authentication and strong password mechanisms.  Cyber security is responsible for developing password strength, complexity, and duration standards and should consider implementing standards in accordance with the current National Institute of Standards and Technologies’ (NIST) password guidelines.  Users must comply with password management standards whether enforced automatically or by policy.  End users must not share their passwords or other authentication methods with anyone.  Passwords must be stored using a one-way encryption with sufficient strength that a password cannot be decrypted into clear-text.  Passwords not be stored in plain-text on any system.

4.1.3  Network Security Management

Networks must be managed and controlled in order to protect ACME’s information assets that are stored or in transit.  Physically accessible wired network access ports must be secured by appropriate access controls.  All wireless access point connectivity must be authenticated by appropriate access controls and its communication encrypted.  Cyber security is responsible for developing the required technology standards to support this policy. 
Cyber security is also responsible for the procurement, testing, deployment, and monitoring of all network infrastructure equipment including firewalls, switches, routers, access points, and servers.  All equipment installed on the ACME corporate network must be capable of auditing and monitoring of user login attempts, configuration changes, and command accounting. 

4.1.4  Operational Security

Cyber Security must introduce controls and policies to safeguard ACME business systems against malware, including but not limited to viruses, worms, and Trojan horses.  ACME workers must not disable or bypass malware protection on any system.  Cyber Security is responsible for the selection and approval of controls to prevent, detect, and remove malicious code. 
Systems that store and process information assets must maintain a record accounting history, including but not limited to identity (i.e. username), date/time of access, and what was modified.  All system logs are considered confidential and relevant legal requirements applicable to monitoring and logging must be observed.  System administrator logs must be retained and reviewed on minimum weekly basis to check for suspicious activity.

4.1.5  Vulnerability Management

ACME’s exposure to technical vulnerabilities must be evaluated on a regular basis with the utmost priority.  Action must be taken in a timely manner that is commensurate with the level of security risk and exposure involved.  All information systems including network, operating system, database, and applications must be scanned at least once a month. 
Applicable patches must be obtained from a known, trusted source.  The authenticity and integrity of patches via means such as hashes or checksums must be verified.  Patches should be tested on an isolated system to verify there are no unintended side-effects.  Data or configuration backups must be performed prior to the application of the patch. 
All modifications to production systems must follow the ACME change management process, including patch deployments.  Technical vulnerabilities, including vendor supplied patches, shall be treated with the highest priority.  The service level agreement for the application of patches must be quantified according to the risk assessment of ACME IT, the vendor’s evaluation, system criticality and susceptibility.  The definition of security vulnerabilities, leveraged from Microsoft’s Security Bulletin Rating System (Microsoft, 2012), along with guidelines for the deployments of patches is as follows:
Rating
Definition
Timeline for Deployment
Critical
A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.
Immediately, or as soon as feasibly possible
Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.
Within 7 days
Moderate
Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations.
Within 14 days
Low
Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems.
Evaluate whether to apply or not
Penetration testing must be performed against internal and external facing systems at least annually or following any significant infrastructure modification or deployment.  If an outside contractor is used to perform penetration testing appropriate vetting must be performed and NDA agreements obtained to ensure the confidentiality of ACME information assets and systems. 

4.1.6  Cryptography

The confidentiality of ACME information assets at rest and in transit must be cryptographically protected.  This includes end user systems as well as corporate backups.  Storage of ACME information on public cloud services must also be encrypted.  Specific guidelines regarding encryption standards, strengths, and key management policies shall be defined by the Cyber Security group.  

4.1.7  Reliable Communication

Information transmitted via electronic messaging should be appropriately protected.  Digital signatures must be used where this is a legal, compliance, or business need to verify the authenticity or integrity of a document. 

4.1.8  System Development and Maintenance

Security requirements must be designed and reviewed as part of the system requirements gathering process for new systems.  Security controls such as firewalls and Intrusion Protection Systems (IPS) must be implemented to protect ACME networks.  Change management controls must be developed and employed for any change to a production systems.  Production, test, and development systems must be properly segregated with each only accessible by approved users.  Test or development systems must not be connected to the public internet.To ensure the authenticity of ACME branded products all software must be delivered with code-signing facilities. 

4.1.9  Secure Software Development Lifecycle Management (SDLC)
A secure software development lifecycle must be in place that supports software from its creation and throughout its lifecycle.  ACME source code must be protected against unauthorized access or alteration.  Change management processes must be defined and followed for all system implementation, enhancements, and alterations.  Software developers must be sufficiently trained in the secure development of software.  No code shall be developed that enables hidden commands or backdoors that allow for the bypass of security controls.  The use or integration of any third party code must be evaluated from a security perspective. 

4.2  Contingency Planning

4.2.1  Business Impact Analysis

To facilitate the development of a Business Contingency Plan (BCP) a Business Impact Analysis (BIA) must be performed for all of ACME’s information systems and assets.  The BIA shall be re-evaluated on a minimum yearly basis.  The BIA should include the following information, as outlined in the NIST Contingency Planning Guide (NIST, 2010):
  • Determine business processes and recovery criticality.  Identify the impact of system unavailability along with the outage impacts and downtime.
  • Identify resource requirements.   Evaluate the resources needed to maintain backup procedures and systems.
  • Identify recovery priorities.  Prioritize the system recovery based on the preceding information gathered.

4.2.2  Business Contingency Plan

Unavailability of information systems affects all business functions.  Management must ensure the creation of a Business Contingency Plan that enables all functions to continue to operate following a service outage.  This plan must address both IT service unavailability as well as workplace unavailability. 
The IT team must create contingency plans for all information systems including data backup and recovery procedures.  In the event of a data breach measures must be taken to preserve evidence and management must determine what type of support (technical, legal, public relations, or law enforcement) is needed.   The BCP shall be tested and reviewed on a minimum yearly basis. 
The ability to work remotely is a highly effective replacement workplace and should be considered for contingency planning (Business Continuity Institute, 2016) but must also uphold the security requirements governing information transit to and from the ACME corporate network. 
The contingency plan should provide metrics based guidelines that provide criteria on when a contingency plan should be activated and when it can be deactivated.  The contingency plan should also take into consideration the cost involved with maintaining emergency services as not all services must be maintained, or maintained at the same level, as normal operations. 


5.0  Conclusion

The ISSP is a critical document that provides the framework for all of the supporting security standards, specifications, and plans for the organization.  Furthermore it requires the creation, review, and testing of specific documents, such as the information security standards and business contingency plans.  Without describing the implementation details it itemizes the minimum set of rules and responsibilities that must be upheld by everyone who interact with the company information systems and assets. 

I believe one of the most critical component of an ISSP is the risk assessment.  Risk profile and tolerance will have the most direct effect on the resources (i.e. cost) needed to protect company’s information assets.  By mandating that risk be evaluated, and evaluated on an ongoing basis, it ensures that the individuals and teams responsible for upholding the policies are doing so based on the current risks, conditions, and threats to the organization. 
By not declaring “how” the policies will be upheld it gives the team the flexibility to investigate and choose the best and most cost effective way to uphold the policy.  It does not state whether or not a particular service should be outsourced, for example, just that it be provided in a secure manner.  This also allows for newer and more secure technology to be implemented without having to revisit the overall guiding policies of the company. 

I think the most valuable overall components of the ISSP is that it forces you to consider all aspects of security with respect to your organization from an objective point of view, and to do it on a regular basis.  Services such as backup systems may be ingrained in the DNA of IT teams but mandating that those systems be tested on a regular basis may not be something that is routinely performed.

Protecting your network from a cyber-attack can be resource intensive and expensive.  Having a comprehensive ISSP as well as the supporting standards and plans can help ensure that you have evaluated your risks and applied your resources in the most efficient way possible.  Any extra dollar spent on cyber security is one that could have been invested back into the business.  It’s important for organizations to try and find the right balance between risk and cost and the ISSP is an invaluable component of that process.
References
  • Bosworth, S., Kabay, M.E., Whyne, E.  (2014).  Computer Security Handbook. 
  • Business Continuity Institute (2016).  Workplace Recover Report 2016.  Retrieved from http://www.bcifiles.com/Workplace_Recovery_2016.pdf
  • CompTIA (2015).  Organizations Changing Strategies and Tactics as Security Environment Gets More Complex.  Retrieved from https://www.comptia.org/about-us/newsroom/press-releases/2015/03/31/organizations-changing-strategies-and-tactics-as-security-environment-gets-more-complex-new-comptia-study-finds
  • Federal Financial Institutions Examination Council (2015).  Cybersecurity Assessment Tool.  Retrieved from http://www.ffiec.gov/cyberassessmenttool.htm
  • IBM Corporation (2015).  IBM 2015 Cyber Security Intelligence Index.  Retrieved from http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEW03073USEN&attachment=SEW03073USEN.PDF
  • Microsoft (2012).  Security Bulletin Severity Rating System.  Retrieved from           https://technet.microsoft.com/en-us/security/gg309177.aspx
  • National Institute of Standards and Technology (2004).  Federal Information Processing Standards Publication 199.  Retrieved from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
 
Powered by Create your own unique website with customizable templates.
  • Home
  • About
  • Cyber References
  • Cyber Security Fundamentals
  • Cryptography
  • Security Architecture
  • Risk Management
  • Management & Cyber Security
  • Secure Software Design
  • Network Visualization & Vulnerability Detection
  • Cyber Threat Intelligence
  • Incident Response & Computer Network Forensics
  • Operational Policy