Documente Academic
Documente Profesional
Documente Cultură
Pegasus Corps
Chelsea Hitt
Cyber Management
CSOL 550
5 December 2016
Mr. McCready
Pegasus Corps
Table of Contents
Abstract.pg 3
1: Company Summary..pg 4
2: Management.pg 4
3: Implementation Management...pg 11
References:....pg 14
2
Pegasus Corps
Abstract
The purpose of this document is to define the Information Systems Security Plan (ISSP)
for Pegasus Corps. The purpose of the ISSP is to define system components, operational
boundaries, and roles and responsibilities for managing the system. Pegasus Corps is a fictional
software company thought up for the purpose of this final project for CSOL 550.
3
Pegasus Corps
1: Company Summary
Pegasus Corps is a software company established and run in Murrieta, CA. The owner
and CEO of Pegasus Corps is a veteran of the US Armed Forces. The purpose of Pegasus Corps
is to create and distribute software that helps create outlets for service members serving overseas.
The outlets are there to help pass the time or deal with issues experienced while on deployments.
Software is either APP based or as a download, from Pegasus Corps webpage, for use on
computers.
Pegasus Corps is dedicated to serving our cliental while they are over seas serving their
country. Because of this dedication one of Pegasus Corps main goals is the protection of their
clients information both financial and personal. Pegasus Corps pledges to have one of the best IT
departments for a company of its size. Because we are a small business some of our IT
2: Management
Role Responsibility
Chief Information Security Officer (CISO) In a C-level management position, the CISO,
oversee and provide leadership for any
initiatives that concern the overall security of
an organization. At big companies, the CISO
may even find themselves consulting with the
FBI, law enforcement and government on
corporate security matters (Cyber Degrees,
2015).
Information System Owner (ISO) The information system owner is the agency
official responsible for the overall
procurement, development, integration,
modification, or operation and maintenance of
the information system (Swanson , Hash , &
4
Pegasus Corps
Bowen , 2006).
Information Owner (IO) The information owner is the agency official
with statutory or operational authority for
specified information and responsibility for
establishing the controls for its generation,
collection, processing, dissemination, and
disposal (Swanson , Hash , & Bowen , 2006).
Authorizing Official The authorizing official (or designated
approving/accrediting authority as referred to
by some agencies) is a senior management
official or executive with the authority to
formally assume responsibility for operating an
information system at an acceptable level of
risk to agency operations, agency assets, or
individuals (Swanson , Hash , & Bowen ,
2006).
Security Administrator A Security Administrator is basically the point
man/woman for cyber security systems.
Although job descriptions vary widely, they
will likely be responsible for installing,
administering and troubleshooting an
organizations security solutions (Cyber
Degrees, 2015).
Information Security Manager An Information Security Manager is expected
to manage an organizations IT security in
every sense of the word from devising
imaginative security solutions to implementing
policies and training procedures. Although
their technical skills may take a backseat, they
will be the driving force behind your
companys security measures (Cyber Degrees,
2015).
Vulnerability Assessor A Vulnerability Assessor (a.k.a. Vulnerability
Assessment Analyst) scans applications and
systems to identify vulnerabilities. In other
words, prospective employees are looking for
trouble, searching a network for critical flaws.
They are expected to present their findings in a
comprehensive, prioritized list the
Vulnerability Assessment that organizations
can use as a blueprint for improvements (Cyber
Degrees, 2015).
5
Pegasus Corps
2.2.1 Planning
Contingency Planning is a step Pegasus Corps thinks very highly of. An Information
System Contingency Plan (ISCP) provides established procedures for the assessment and
recovery of a system following a system disruption. The ISCP provides key information needed
for system recovery, including roles and responsibilities, inventory information, assessment
procedures, detailed recovery procedures, and testing of a system (Swanson, Bowen, Phillips,
Gallup, & Lynes, 2010). Pegasus Corps intends of have multiple ISCPs set up in order to cover
Pegasus Corps main goal besides helping service members while they are serving over
seas is also protecting the information of those same service members. Pegasus Corps will focus
not just of security on the cyber level but also on the physical level. Information is just as
Because Pegasus Corps is a relatively small company therefore physical security will be
contracted out to a local security company who will handle security of our facility. Pegasus
Corps will also utilize a local a security service for the purpose of patrolling the area around our
facility; the patrols will mostly take place after hours. The contract with the security company
will allow Pegasus Corps to have access to security cameras and alarms; alarms are to be utilized
after hours.
6
Pegasus Corps
Standard user accounts will be used for the routine use of the information systems.
Passwords are to be 10-15 characters in length contain both lower and upper case letter,
A help desk will be available in the case an employee becomes locked out of their
system.
Establish a policy for disabling accounts upon termination or transfer of personnel that will
2.2.1.2.3 Training
Murrieta. There will also be safeguard put in place to help protect the financial information and
personal information of our clients. Anti-virus software will also be utilized to help protect the
7
Pegasus Corps
Mobile and Cloud services will be offered for those clients utilizing the APP version of
our software. As a company we recommend that clients have the best form of security set up on
their mobile devise as well as secure passwords for the Cloud. If possible we will offer data
storage for clients unable to store all their data due to the environment they may be in.
conducted quarterly. After quarterly maintenance has been conducted guidance will be handed
over to the CEO and CISO in the event there needs to be upgrade or the purchase of new
equipment.
Our highly training IT staff will be well versed in the different risks that could affect our
systems and therefore our company. Any and all risks that are identified will be logged and
An annual Risk Assessment will be conducted at the beginning of each fiscal year to
8
Pegasus Corps
outside agency making sure there are no biases involved in the process. Once the assessment is
concluded and results are handed over to the CISO and CEO Pegasus Corps can make decisions
If a risk is discovered a specialized team within Pegasus Corps IT staff will begin
immediate analysis of the risk and determine how best to mitigate it and what possible
ramifications there might be. The analysis of the risk will take top priority for this team and will
be their sole mission in this event. Results will then be turned over to the CISO and CEO so a
Server modernization:
Pegasus Corps will maintain the most current servers possible, as long as the budget
Self-service desks:
Although employees of Pegasus Corps will have to utilize a help desk to reset
passwords, clients will be able to utilize a self-service desk option to reset passwords.
This self-service desk will also have quick-fix, and how-to tips to fix issues with the
9
Pegasus Corps
Utilizing a hybrid form of IT support, most functions will be handled off site while a
Pegasus Corps will empower our employees to look for inefficiencies and identify
Go Green:
Invoices to clients and/or vendors will be digital, however hardcopies will be made
Pegasus Corps will reduce development costs by limiting distribution to digital copies.
This will save on cost of creating and shipping CDs to our clients. APP will be made available in
participating APP stores, updates to APP will come on a yearly basis or when significant patches
need to be applied for security purposes. Digital downloads for our webpage will also require
updates, updates can be made from inside the program itself as long as an account is set up
Physical security will be outsourced to local security companies. Each year Pegasus
Corps will look at local companies and accept proposals and bids from those companies. The
company with the best program and right price will be contracted.
10
Pegasus Corps
Costs that Pegasus Corps is planning on are: salaries of its employees, paying for the
contracted security company, licenses for anti-virus software for servicers and webpage,
upgrades and new hardware replacements, and a special pot of money set aside for deal with
residual risks.
Potential costs are those that Pegasus Corps was not banking on. These could be money
unexpectedly.
3: Implementation Management
Any and all changes to policy and management decisions will go into effect at the
beginning of the fiscal year. There will be a 30 to 60 day trial period in verify that all
aspects of the ISSP are functioning properly and to make adjustments if need be.
Benchmarks will be set up to help track progress, the CISO will meet with the CEO
quarterly to discuss the bench marks and progress within the company. If any changes
need to be made in the cybersecurity department decisions will come from these quarterly
meetings.
3.2 Budget
Pegasus Corps will function on a budget of 1 million dollars a fiscal year. This
budget will cover personnel salary, cybersecurity needs, and software development. The
cybersecurity department will have a substantial portion of the annual budget dedicated to
11
Pegasus Corps
budget will be broken down into sections: outsourcing, in-house, risk management, and
vulnerability assessments. With the budget broken down each department within
cybersecurity will know how much money they must function on.
If during the fiscal year it has become apparent that the current budget is not
working, proposals can be drafted and sent to the CEO for consideration. However each
Make sure everyone within your department is cross training with other
Managers also need to be well versed in the job as well, we here at Pegasus Corps
Pegasus Corps hopes to one day expand their operation by becoming a large-scale
business within the next 10 years. The hope is to become partners with the VA to better serve not
just service members still serving but also help service members no longer actively serving. We
hope to partner with the USO as well offering free APP downloads to service members who stop
by the USO, these special APP download codes will also help send a portion in APP purchases
12
Pegasus Corps
With the idea of growing as a business Pegasus Corps also will increase their
cybersecurity needs.
The ISSP is an important tool in the realm of cyber management. It lays out everything
that needs to occur for a proper cybersecurity program to function. It is not just businesses with
cliental who need to utilize an ISSP, but while doing research I noted that a lot of universities
also utilize ISSPs, because as some may forget there are organizations who also have
cybersecurity needs like that of protecting their faculty and students PII.
References:
Cyber Degrees. (2015). Become A CISO. Retrieved 2016, from Cyber Degrees:
13
Pegasus Corps
http://www.cyberdegrees.org/jobs/chief-information-security-officer-ciso/
Cyber Degrees. (2015). Become A Security Administrator. Retrieved 2016, from Cyber Degrees:
http://www.cyberdegrees.org/jobs/security-administrator/
Cyber Degrees. (2015). Become A Security Manager. Retrieved 2016, from Cyber Degrees:
http://www.cyberdegrees.org/jobs/security-manager/
Cyber Degrees. (2015). Become A Vulnerability Assessor. Retrieved 2016, from Cyber Degrees:
http://www.cyberdegrees.org/jobs/vulnerability-assessor/
Swanson , M., Hash , J., & Bowen , P. (2006). Guide for Developing Security Plans for Federal
Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). Contingency
Planning Guide for Federal Information Systems. Retrieved Nov 2016, from U.S.
Department of Commerce:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
14