Management and Cyber Security

07/19/2021

Abstract
ISI is one of the leading solutions providers specialized in Cybersecurity, System Infrastructure, Application Delivery Optimization, Data Center, Storage and Data Protection. They are officially partnered with the key Industry leaders. ISI serves a number of industry verticals including but not limited to, Service Providers, Oil & Gas, Media, Education and Healthcare.
The IT decision Makers at some of the largest Oil & Gas Companies, Universities and Pharmaceuticals have nominated ISI as their preferred technology partner. ISI team consists of one of the highly qualified, certified experienced and skilled engineers. Their team specializes in the areas of IP Networks, Systems and Security, Application Delivery and Data Protection solutions.
As an organization which offers cybersecurity solutions to enterprises, ISI have additional responsibility to keep their customers proprietary information as secure as possible. Security awareness is placed as a priority when conducting business operations. ISI understands its responsibility to ensure that they maintain resources integrity, proprietary information is kept secure, and all stakeholders feel assured with the security practices of the organization
This Information System Security Plan (ISSP) reflects the security practices and resources within the domain of ISI. The purpose of this ISSP is to illustrate the processes and courses of actions utilized by ISI in order to decrease its attack surface to security-related incidents. This ISSP showcases the security awareness and risk mitigation processes that is adopted and implemented by ISI. This ISSP covers cyber security with an emphasis on management strategies that ensure that organizational goals are met. ISI developed ISSP using the guidelines of NIST 800 Special Publications, which defines the objective of information system security planning is to improve protection of information system resources. Organization like ISI have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system.
Company Summary
ISI believe in strong relationships with customers and provide them the best suited, solutions to maintain the competitive edge in today's dynamic IT network industry. Their commitment is to work very closely with the customers starting from the concept initiating phase of the project. The close coordination with the customers remains throughout the Design, Implementation and Support Phases. ISI ensure a seamless roll out of the solution. They propose reliable cutting-edge solutions to enterprise customers according to their requirements in order for them to better maintain their business operations efficiently.
Enterprise Architecture
ISI's architecture is not too different than a traditional enterprise architecture. The company manages 3 data centers, 20 branches, DMZ and had enabled few SaaS services and applications. ISI's website is hosted on their public web servers within the DMZ. Their website "isi.org" uses TLS security for access which enable encryption and secure linkage to secure database server for end user authentication. In the data center, ISI have deployed for Firewall North South traffic and IPS (Intrusion Prevention System) inline to ensure security when users access applications from the data centers. The firewall is configured in cluster mode with application visibility and anti-malware protection is turned on. IPS is configured in monitor mode and it will send alerts to an in-house SIEM. Firewalls and IPSs have 3-5 years software subscription contract enabled.
ISI have also enabled zero trust in their environment which lets the end-user go through MFA (Multi Factor Authentication). Additionally, it also utilizes a MySQL database management server to store the credentials of its end-users. Only hashed outputs of the usernames and passwords are kept in ISI database server.
All design documentations of customers, quotations and other proprietary information is maintained and distributed through ISI documentation server. This server is kept in secure and locked environment and only authorized personnel are permitted access. Administrator access is only permitted to the CEO/CISO/Security Specialist team of ISI and all communication is monitored and logged. The server is only accessible to authentication, authorization, and accounting services used by ISI to validate the identity and permissions of incoming network connections.
Management
ISI Management team specializes in the areas of IP Networks, Systems and Security, Application Delivery and Data Protection solutions. The management personnel of ISI consist of dedicated professionals and relevant experiences. These professionals have completed a thorough background check of their degrees and experience.

Roles and Responsibilities

The Chief Executive Officer (CEO) who is also a member of the board, provides the vision and the rest of the leadership ISI drives strategy and execute it. is one of the few organizations that is led by a CEO with a cyber-security leadership background.
The Chief Marketing Officer (CMO) of ISI is responsible for driving the marketing strategy of the company and all the advertising campaigns, market research, trainings, collaterals and other marketing activities must come from his organization. The CMO reports directly to the CEO of ISI. The Chief Information System Officer (CISO) and his team is responsible for the security of the organization. CISO and his legal and compliance team ensure that ISI is in compliance with state and federal regulations. The CISO develops and implement the security policies framework across the company. This position requires in-depth experience and expertise in cybersecurity field which requires writing security policy and understanding of security architectures. The CISO reports directly to the CEO of ISI and keeps him or her abreast on the security posture of the organization.
ISI have different offices or business units within the company for example a) Office of CEO b) Office of CISO c) Office of CMO etc., there are 10s of employees within each office. CISO manages the compliance team as well so the chief compliance officers' team under the leadership of chief compliance officer reports to CISO.

Planning Management

The design documentations of end customers are hosted behind a data center firewall and IPS. The content is hosted on a documentation server that only permits secure file transfer protocol (SFTP). This server is named the ISI Design Server and is the central management host for the organization. The ISI design server is managed within the confines of ISI's operation facility and only permits local access. The CISO of ISI approves of all changes to ISI's final design documentation for end customers. There are many security controls implemented to secure the design server, which include MFA (Multi-Factor Authentication), East-west Firewall, web application firewall etc.

Implementation Management

ISI website is managed in-house hence its configured with TLS and is protected by WAF (Web Application Firewall). WAF (Web Application Firewall), just next to the web app/site, that harden the requests control, and tighten the filter to match the specificities of the web application. ISI ensure that end-users can't directly send requests to their web server (from a TCP point of view), that could facilitate attacks otherwise. Thus, ISI ensure network isolation, DMZ-minded, by deploying a reverse proxy as a front-end of the web server. This help ISI to more easily manage the network flow that can legitimately be sent to the server (including other needs like load balancing). Additionally, for securing the design documentation server the same WAF technology can also be use with east-west firewall.

Human Resource Management

ISI Human Resource Management (HRM) focuses on the recruitment of, management of, and providing direction and guidance for the people who work in an organization. The ISI HRM department members provide the knowledge, necessary tools, training, administrative services, coaching, legal and management advice, and talent management oversight that the rest of the organization needs for successful operation.

Planning
Information Security Implementation

Physical security

Physical security is vital for any organization like ISI. ISI have implemented defense-in-depth strategy which include physical security. Here are some of the physical security features which are implemented as part of ISI defense-in-depth strategy.

Intrusion detector
CCTV, smart cards
Fire extinguisher
Guards
Suppression systems
Intrusion alarm
Motion detectors
Physical access
Chain link fence
RFID tags
Barbed wire

The ISI Offices and facilities is kept secure through the use of guards, closed-circuit television (CCTV), and smart cards. The security guards will do screening of the visitors and employees before they enter into premises. All possible logs will be maintained for a time frame that's recommended by the compliance rules and regulations.

Access control

ISI monitors access to its web applications, corporate servers and other domains through the use of network firewall, IPS and WAF. SIEM assists in correlating the alerts and threat information which is critical to ISI. This helps incident response team to get visibility of threat information. The incident response team's job is to hunt for threats and remediate it before it penetrates into the network. A wide group of teams or business units, and individuals require data access and therefore must share responsibility for use of that data. As part of this shared responsibility and in the process of managing their data, individual business units are responsible for following the ISI policies in the development and implementation of procedures to protect and control access to their data.

Website Data Security

ISI have established a secure website which has a web application firewall activated to prevent attacks and hacks. It also follows website security best practices and has no configuration issues or known vulnerabilities. Web data is secured through the use of TLS when users log in. ISI is using HTTPS hence the communication is already encrypted.

Mobile and Cloud service

ISI utilizes AWS for HR, financial and few other applications. For example, the employees can access HR portals using their mobile devices. ISI use Gmail for email and if we think deep this is also a cloud service which can be used through desktop, smartphones etc

Timely Integration of Information

ISI have an Information integration system deployed which offer uniform access to a set of autonomous and heterogeneous data sources (e.g. customer documentation and partner data). Sources can range from database systems and legacy systems to forms on the Web, web services and flat files. The data in the sources need not be completely structured as in relational databases. The number of sources in an information integration application can range from a handful to thousands.

Reliable Communication

Reliable communication channels have been stablished for the company which include email encryption and virtual private network.

System Development and Maintenance

ISI have developed systems which has to be considered at all stages of the life cycle of an information system (i.e., feasibility, planning, development, implementation, maintenance, and retirement) in order to: a) ensure conformance with all appropriate security requirements, b) protect sensitive information throughout its life cycle, c) facilitate efficient implementation of security controls, d) prevent the introduction of new risks when the system is modified, and e) ensure proper removal of data when the system is retired. This policy provides guidance to ensure that systems security is considered during the development and maintenance stages of an information system's life cycle.

Contingency Planning

In the event that the key executives are not available the interim roles can be taken over by other nominated executives. If there is an outage on one data center of ISI due to power failure or attack, documentation design server will automatically be enabled and used. All alternative solutions have been tested for interoperability with currently deployment, providing high resource availability.

Natural Calamities

In the event of a natural disaster, the staff of ISI will evacuate the primary location. The backup site has a redundant documentation design server as well as a redundant web server that are incrementally backed-up on a daily basis. Documentation Servers also have redundancy servers that provide ISI's services in the event of a natural disaster.

Power Outage

In the event of a power outage, ISI's data centers, branches and offices with a back-up power generator and an uninterruptible power supply in place. Both sources of power are annually tested and equipped with additional gasoline.

Business Continuity Plan

ISI have established, documented, implemented and maintained processes, procedures and controls to ensure the required level of continuity for information security during a disruptive situation. A management structure and relevant escalation trigger points is already identified to ensure that if and when an event increases in severity the relevant escalation to the appropriate authority is made effectively and in a timely manner. It's clear when there is a return to business as usual and any BCP processes stop.
Implementation Management

Proposed Timeline/Execution

Implementation for ISSP within in ISI must be in phases with strict timelines. Typically, quarterly phased approach is an effective way of implementing the plan.

Budget

Finance department will provide the budget for ISSP implementation. The process requires security teams to work with their management to get an approval from executives. There are many phases a) clear communication between technical teams and executives b) ROI c) business value etc.

Risk Management

By implementing a risk management plan and considering the various potential risks or events before they occur, an organization like ISI can save money and protect their future. This is because a robust risk management plan will help a company establish procedures to avoid potential threats, minimize their impact should they occur and cope with the results. This ability to understand and control risk will allow organizations to feel more confident about their business decisions. Furthermore, strong corporate governance principles that focus specifically on risk management can help a company reach their goals.
At ISI, risk assessment is conducted on a monthly schedule to determine potential avenues of approach for an attacker. The risk assessment is conducted by the risk management team, along with the IT team. The risk assessment is conducted to determine the quantitative impact of a cyber-attack, vulnerability or system malfunction. A critical component to the success of ISI is its brand as the best solution integrator in the industry. Consequently, ISI conducts a qualitative risk assessment to determine the level of impact that loss of credibility or public trust will impose. The results of both assessments illustrate the security posture of the organization and is used to allocate funds to decrease the attack surface of the organization.

Mitigation Planning, Implementation & Monitoring

Phishing attacks pose the greatest risk to ISI. As a result, the organization utilizes an effective email security gateway solution. ISI uses SIEM to monitor its network for cyber attackers, as well as redundant systems to promote a high level of availability to its users.

Cost Management

The investment in cybersecurity must often be justified, especially in the benefits that it brings to an organization like ISI. For audit/compliance reasons, ISI must often prove that the match the key regulatory requirements within their market place. Regulations such as GDPR, and acts such as Gramm-Leach-Bliley (GLB), Sarbanes-Oxley (SOX), and the Computer Fraud and Abuse, are a key driver for investments in cybersecurity, as a failure to comply with these can lead to significant fines or even criminal charges.
The CISO of ISI is responsible for determining a cost-effective methodology to manage risk to the organization. The goal of ISI's risk management strategy is ensuring that the CEO makes decisions that do not expose the organization to unforeseen threats. ISI takes into account industry best practices and conducts an inherent risk profile using the FSSCC risk calculator to determine its security posture. Once calculated, the senior management decides on cost-effective mitigation strategies for ISI.

Analysis & Recommendation Management

Human is the most common threat vector in today's world. End-user or employees clicking phishing emails and getting hacked is very common. Executive are trapped with BEC (Business Email Compromises), there seems to be not much focus on phishing and other security trainings within ISI. Its recommended that ISI should have regular training for its employees.
The infrastructure for ISI is primarily based on third-party involvement. As stated, before ISI might conduct quarterly risk assessments, but these assessments do not include the intricate and proprietary infrastructures of the cloud services, network monitoring, and learning management systems that an adversary could use as an attack vector.

Student Assessment of ISSP to Cyber Management

This ISSP provides details on how to implement the best practices an organization. The ISSP helps an organization to holistically understand and implement the security policies across the organization. There is a need to educate executive class on this framework, its challenging for security specialist to communicate and convince executive class because of the complexity. It's not easy for a techie to transform the complex information into simple high-level message.
Reflection
The development of ISSP (Information System Security Plan) provided the guidelines, details of the best practices, policies and plan needed to secure the data or information systems. It gives us the complete picture of how an organization enable processes and plan to secure their networks, systems, applications. We learnt during this course the actual purpose of ISSP is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system.
The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Cybersecurity practices implemented using the ISSP have as their aim the securing-that is, the keeping safe-of data, computer systems and networks (software and hardware). While those data, systems, and networks might have some economic or other value in and of themselves, what cybersecurity practices primarily protect are the integrity, functionality, and reliability of human institutions/practices that rely upon such data, systems, and networks. And in protecting those institutions and practices, cybersecurity professionals or leaders in turn are protecting the lives and happiness of the human beings who depend upon them.
This means that ethical issues are at the core of cybersecurity practices, because these practices are increasingly required to secure and shield the ability of human individuals and groups to live well. And given the increasing complexity and difficulty of securing online data and systems across a proliferating landscape of cloud computing services, WiFi-enabled mobile devices, and 'smart' objects-from a multiplicity of hostile actors exploiting lax or under- resourced security controls-the ethical responsibility to protect others that is borne by cybersecurity professionals is an increasingly heavy burden.
References
NIST. (2006, February). SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems. Retrieved July 1, 2018, from https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives: A Practical Guide.
Hoboken, NJ: Wiley.
Information Continuity Aspects of Business Continuity Management - Retrieved from https://www.isms.online/iso-27001/annex-a-17-information-security-aspects-of-business-continuity-management/