Running head: Pegasus Corps

Pegasus Corps

Chelsea Hitt

Cyber Management

CSOL 550

5 December 2016

Mr. McCready
Pegasus Corps

Table of Contents

Abstract.pg 3

1: Company Summary..pg 4

2: Management.pg 4

2.1: Roles and Responsibilities.....................................................................................pg 4

2.2: Planning and Risk Management....pg 6

2.3: Cost Management..pg 9

3: Implementation Management...pg 11

4: Analysis & Recommendation...pg 12

5: Student Assessment of ISSP alignment to Cyber Management...pg 13

References:....pg 14

2
Pegasus Corps

Abstract

The purpose of this document is to define the Information Systems Security Plan (ISSP)

for Pegasus Corps. The purpose of the ISSP is to define system components, operational

boundaries, and roles and responsibilities for managing the system. Pegasus Corps is a fictional

software company thought up for the purpose of this final project for CSOL 550.

3
Pegasus Corps

1: Company Summary

1.1 Enterprise Architecture

Pegasus Corps is a software company established and run in Murrieta, CA. The owner

and CEO of Pegasus Corps is a veteran of the US Armed Forces. The purpose of Pegasus Corps

is to create and distribute software that helps create outlets for service members serving overseas.

The outlets are there to help pass the time or deal with issues experienced while on deployments.

Software is either APP based or as a download, from Pegasus Corps webpage, for use on

computers.

Pegasus Corps is dedicated to serving our cliental while they are over seas serving their

country. Because of this dedication one of Pegasus Corps main goals is the protection of their

clients information both financial and personal. Pegasus Corps pledges to have one of the best IT

departments for a company of its size. Because we are a small business some of our IT

capabilities may need to be hybrid or outsourced completely.

2: Management

2.1 Roles and Responsibilities

Role
Chief Information Security Officer (CISO)
Information System Owner (ISO)
Responsibility
In a C-level management position, the CISO,
oversee and provide leadership for any
initiatives that concern the overall security of
an organization. At big companies, the CISO
may even find themselves consulting with the
FBI, law enforcement and government on
corporate security matters (Cyber Degrees,
2015).
The information system owner is the agency
official responsible for the overall
procurement, development, integration,
modification, or operation and maintenance of
the information system (Swanson , Hash , &

4
Pegasus Corps
Information Owner (IO)
Authorizing Official
Security Administrator
Information Security Manager
Vulnerability Assessor
2.2 Planning and Risk Management
Bowen , 2006).
The information owner is the agency official
with statutory or operational authority for
specified information and responsibility for
establishing the controls for its generation,
collection, processing, dissemination, and
disposal (Swanson , Hash , & Bowen , 2006).
The authorizing official (or designated
approving/accrediting authority as referred to
by some agencies) is a senior management
official or executive with the authority to
formally assume responsibility for operating an
information system at an acceptable level of
risk to agency operations, agency assets, or
individuals (Swanson , Hash , & Bowen ,
2006).
A Security Administrator is basically the point
man/woman for cyber security systems.
Although job descriptions vary widely, they
will likely be responsible for installing,
administering and troubleshooting an
organizations security solutions (Cyber
Degrees, 2015).
An Information Security Manager is expected
to manage an organizations IT security in
every sense of the word from devising
imaginative security solutions to implementing
policies and training procedures. Although
their technical skills may take a backseat, they
will be the driving force behind your
companys security measures (Cyber Degrees,
2015).
A Vulnerability Assessor (a.k.a. Vulnerability
Assessment Analyst) scans applications and
systems to identify vulnerabilities. In other
words, prospective employees are looking for
trouble, searching a network for critical flaws.
They are expected to present their findings in a
comprehensive, prioritized list the
Vulnerability Assessment that organizations
can use as a blueprint for improvements (Cyber
Degrees, 2015).
5
Pegasus Corps

2.2.1 Planning

2.2.1.1 Contingency Planning

Contingency Planning is a step Pegasus Corps thinks very highly of. An Information

System Contingency Plan (ISCP) provides established procedures for the assessment and

recovery of a system following a system disruption. The ISCP provides key information needed

for system recovery, including roles and responsibilities, inventory information, assessment

procedures, detailed recovery procedures, and testing of a system (Swanson, Bowen, Phillips,

Gallup, & Lynes, 2010). Pegasus Corps intends of have multiple ISCPs set up in order to cover

any and all situations that could come up.

2.2.1.2 Information Security Implementation

Pegasus Corps main goal besides helping service members while they are serving over

seas is also protecting the information of those same service members. Pegasus Corps will focus

not just of security on the cyber level but also on the physical level. Information is just as

vulnerable in person as it is online.

2.2.1.2.1 Physical security:

Because Pegasus Corps is a relatively small company therefore physical security will be

contracted out to a local security company who will handle security of our facility. Pegasus

Corps will also utilize a local a security service for the purpose of patrolling the area around our

facility; the patrols will mostly take place after hours. The contract with the security company

will allow Pegasus Corps to have access to security cameras and alarms; alarms are to be utilized

after hours.

2.2.1.2.2 Access control:

6
Pegasus Corps

Separate Account Types:

Standard user accounts will be used for the routine use of the information systems.

Administrator accounts will be established for performing tasks requiring elevated

privileges (e.g., installing and updating third-party software).

Passwords are to be 10-15 characters in length contain both lower and upper case letter,

special characters and numbers. Passwords are to be changed every 60 days.

A help desk will be available in the case an employee becomes locked out of their

system.

Establish a policy for disabling accounts upon termination or transfer of personnel that will

ensure data integrity.

2.2.1.2.3 Training

Security Awareness & Training:

All users will take annual security awareness training.

The managers of each department will maintain training records.

2.2.1.2.4 Website Data Security:

Pegasus Corps webpage will be protected by firewalls maintained at our headquarters in

Murrieta. There will also be safeguard put in place to help protect the financial information and

personal information of our clients. Anti-virus software will also be utilized to help protect the

webpage and the clients utilizing it.

7
Pegasus Corps

2.2.1.2.5 Mobile and Cloud service:

Mobile and Cloud services will be offered for those clients utilizing the APP version of

our software. As a company we recommend that clients have the best form of security set up on

their mobile devise as well as secure passwords for the Cloud. If possible we will offer data

storage for clients unable to store all their data due to the environment they may be in.

2.2.1.2.6 System Development and Maintenance:

Maintenance performed by vendors will be approved by the ISO. Maintenance will be

conducted quarterly. After quarterly maintenance has been conducted guidance will be handed

over to the CEO and CISO in the event there needs to be upgrade or the purchase of new

equipment.

2.2.2 Risk Management

Review and verify risk categorization annually.

Re-establish configuration benchmarks annually.

Calculate costs of residual risk.

2.2.2.1 Risk Identification

Our highly training IT staff will be well versed in the different risks that could affect our

systems and therefore our company. Any and all risks that are identified will be logged and

protocols to deal with them will be created.

2.2.2.2 Risk Assessment

An annual Risk Assessment will be conducted at the beginning of each fiscal year to

determine is protocols need to be updated. These risk assessments will be conducted by an

8
Pegasus Corps

outside agency making sure there are no biases involved in the process. Once the assessment is

concluded and results are handed over to the CISO and CEO Pegasus Corps can make decisions

on new or updated cyber security protocols.

2.2.2.3 Analysis & Prioritization

If a risk is discovered a specialized team within Pegasus Corps IT staff will begin

immediate analysis of the risk and determine how best to mitigate it and what possible

ramifications there might be. The analysis of the risk will take top priority for this team and will

be their sole mission in this event. Results will then be turned over to the CISO and CEO so a

proper decision on how to handle the risk can take place.

2.3 Cost Management

2.3.1 Provide security infrastructure that reduces development costs

Server modernization:

Pegasus Corps will maintain the most current servers possible, as long as the budget

allows for this course of action.

Self-service desks:

Although employees of Pegasus Corps will have to utilize a help desk to reset

passwords, clients will be able to utilize a self-service desk option to reset passwords.

This self-service desk will also have quick-fix, and how-to tips to fix issues with the

program before needing to escalate the issue to Pegasus Corps IT department.

2.3.2 Reduce operational costs

Operational costs will be reduced by:

Outsourcing physical security needs

9
Pegasus Corps

Utilizing a hybrid form of IT support, most functions will be handled off site while a

skeletal crew will be on site to handle issues that may arise.

Identify Inefficiencies to Decrease Costs:

Pegasus Corps will empower our employees to look for inefficiencies and identify

ways to save time and money.

Go Green:

Pegasus Corps will encourage employees to communicate via e-mail or phone.

Pay checks/stubs will be digital.

Invoices to clients and/or vendors will be digital, however hardcopies will be made

available upon request.

2.3.3 Reducing development costs

Pegasus Corps will reduce development costs by limiting distribution to digital copies.

This will save on cost of creating and shipping CDs to our clients. APP will be made available in

participating APP stores, updates to APP will come on a yearly basis or when significant patches

need to be applied for security purposes. Digital downloads for our webpage will also require

updates, updates can be made from inside the program itself as long as an account is set up

linking the product to the Pegasus Corps webpage.

2.3.4 Cost of Security

Physical security will be outsourced to local security companies. Each year Pegasus

Corps will look at local companies and accept proposals and bids from those companies. The

company with the best program and right price will be contracted.

2.3.5 Planned costs

10
Pegasus Corps

Costs that Pegasus Corps is planning on are: salaries of its employees, paying for the

contracted security company, licenses for anti-virus software for servicers and webpage,

upgrades and new hardware replacements, and a special pot of money set aside for deal with

residual risks.

2.3.6 Potential costs

Potential costs are those that Pegasus Corps was not banking on. These could be money

needed to repair damage due to an unforeseen attack or systems needing to be replaced

unexpectedly.

2.3.7 Comparative costs with industry

3: Implementation Management

3.1 Proposed Timeline/Execution

Any and all changes to policy and management decisions will go into effect at the

beginning of the fiscal year. There will be a 30 to 60 day trial period in verify that all

aspects of the ISSP are functioning properly and to make adjustments if need be.

Benchmarks will be set up to help track progress, the CISO will meet with the CEO

quarterly to discuss the bench marks and progress within the company. If any changes

need to be made in the cybersecurity department decisions will come from these quarterly

meetings.

3.2 Budget

Pegasus Corps will function on a budget of 1 million dollars a fiscal year. This

budget will cover personnel salary, cybersecurity needs, and software development. The

cybersecurity department will have a substantial portion of the annual budget dedicated to

it because the protection of our clients information is paramount. The cybersecurity

11
Pegasus Corps

budget will be broken down into sections: outsourcing, in-house, risk management, and

vulnerability assessments. With the budget broken down each department within

cybersecurity will know how much money they must function on.

If during the fiscal year it has become apparent that the current budget is not

working, proposals can be drafted and sent to the CEO for consideration. However each

proposal must have sound reasoning behind it.

4: Analysis & Recommendation Management

4.1 Key Elements

Key elements recommended for management at Pegasus Corps are:

Always be engaged with employees.

Make sure everyone within your department is cross training with other

employees. In the event someone is not able to be at work someone needs to be

able to fill his or her position.

Managers also need to be well versed in the job as well, we here at Pegasus Corps

expect managers to be able to do the work as well not just observe.

4.2 Conclusion and Future Work

Pegasus Corps hopes to one day expand their operation by becoming a large-scale

business within the next 10 years. The hope is to become partners with the VA to better serve not

just service members still serving but also help service members no longer actively serving. We

hope to partner with the USO as well offering free APP downloads to service members who stop

by the USO, these special APP download codes will also help send a portion in APP purchases

back to the USO to help support their mission.

12
Pegasus Corps

With the idea of growing as a business Pegasus Corps also will increase their

cybersecurity infrastructure potentially requiring more in-house staff or further outscoring of

cybersecurity needs.

5: Student Assessment of ISSP to Cyber Management

The ISSP is an important tool in the realm of cyber management. It lays out everything

that needs to occur for a proper cybersecurity program to function. It is not just businesses with

cliental who need to utilize an ISSP, but while doing research I noted that a lot of universities

also utilize ISSPs, because as some may forget there are organizations who also have

cybersecurity needs like that of protecting their faculty and students PII.

References:

Cyber Degrees. (2015). Become A CISO. Retrieved 2016, from Cyber Degrees:

13
Pegasus Corps

http://www.cyberdegrees.org/jobs/chief-information-security-officer-ciso/

Cyber Degrees. (2015). Become A Security Administrator. Retrieved 2016, from Cyber Degrees:

http://www.cyberdegrees.org/jobs/security-administrator/

Cyber Degrees. (2015). Become A Security Manager. Retrieved 2016, from Cyber Degrees:

http://www.cyberdegrees.org/jobs/security-manager/

Cyber Degrees. (2015). Become A Vulnerability Assessor. Retrieved 2016, from Cyber Degrees:

http://www.cyberdegrees.org/jobs/vulnerability-assessor/

Swanson , M., Hash , J., & Bowen , P. (2006). Guide for Developing Security Plans for Federal

Information Systems. Gaithersburg: U.S. Department of Commerce .

Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). Contingency

Planning Guide for Federal Information Systems. Retrieved Nov 2016, from U.S.

Department of Commerce:

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

14