Documente Academic
Documente Profesional
Documente Cultură
AgileFine Software
Ted Huskey
Cyber Management
CSOL 550
09 July 2018
Prof. D. Biedermann
Running head: AgileFine Software
AgileFine Software
Table of Contents
Abstract………………………………………………………………………………pg 3
1: Company Summary………………………………………………….……………pg 4
2: Management………………………………………………………….……………pg 4
3: Planning Management……………………………………………….………….…pg 6
4: Implementation Management…………………………………………………...…pg 9
5: Risk Management……………………………………………………………….…pg 9
6: Cost Management………………………………………………………………….pg 11
7: Recommendation…………………………….…………………………………….pg 11
References:…………………………………………………………………………....pg 14
3
Abstract
This Information Systems Security Plan (ISSP) provides the foundation for
determining the security required to protect AgileFine Software’s information systems. This
ISSP will describe the system, down to the component level; articulate the security boundaries
and layout roles and responsibilities. Just as the risk of cyber threats constantly evolve, so to
must this ISSP. This ISSP should be considered a living document to be updated in concert
with threats and in concert with significant changes in AgileFine Software’s security policies.
4
AgileFine Software
1: Company Summary
headquartered in the state of California in the United States of America. In 25 short years, AgileFine
has grown to over 1,000 employees with offices in every major US and Canadian city. Given its
sustained and consistent growth, AgileFine Software intends to open over 25 offices in Mexico and
Given the sensitive nature of the information used and processed by its software, AgileFine
Software is committed to provide the very best protection for the very important payroll and personnel
information processed by our software every minute of the day of every year. As a recent winner of
the Global Payroll Award, AgileFine Software is a leader in providing the best security for our
relies heavily on our client server architecture to provide persistent network availability,
which in turn allows all 1,000 employees, assured access. Offsite and remote employs, as
well as customers, are able to access the company network (commiserate to their permissions)
day or night, confident that the data, from their terminal all the way through to the redundant
offsite backup facilities, is secured and protected. The enterprise architecture is robust and
adaptive and provides flexibility and scaling commiserate to the network load/demand.
2: Management
the Information Systems Security Plan (ISSP) (Bowen, Chew and Hash, 2007). Human
nature being what it is, employees take their lead from their leaders and AgileFine Software
5
leaders are committed to supporting every aspect of the ISSP including dissemination down to
the employees. Management will do everything it can to empower employees to take more
active roll in implementing and supporting the ISSP. Dedicated training, kicked off by the
CISO will be implemented as part of this ISSP to ensure employees can see, first hand, that
management is behind this ISSP. The better management explains roles and responsibilities
the better the chance for greater employees support, engagement and company success.
Management is not simply one or two or three people but rather, when it comes
to this Information Systems Security Plan, ‘management’ is every person who contributes to
the development and implement of the ISSP. Support of the ISSP is not limited exclusively to
management. Regular, non-leadership employees, have role to play as well. Theirs is perhaps
the most important role – the role of implementer. If this ISSP does not have dedicated
and implemented. Failure to properly implement the ISSP will have detrimental affects. ISSP
support is an all hands evolution. Table 1 is a listing of ISSP management team with a brief
description of their role (derived from the preeminent authoritative ISSP source, NIST SP
800-18, Guide for Developing Security Plans for Federal Information Systems (NIST, 2006).
This is a somewhat abbreviated listing. A more complete and thorough listed can be found in
6
AgileFine Software
Role Responsibility
Table 1
3: Planning
Every stage in the development of the ISSP is important but the planning stage, the
first critical step, literally sets the stage. It is in this stage where AgileFine Software security
teams looks across the entire organization’s information system, the services it needs to
provide, potential threats it will face and in doing develops an understanding of the risks,
threats which in turn help define the amount of work and resources required to provide the
7
3.1 Information Security Implementation
The best tool is of little value if it cannot be, relatively, easily to use.
AgileFine Software ISSP is designed to be of great value starting with being very intuitive
to the user. The ease of use is jus the first step in ensuring proper implementation.
AgileFine Software’s goal is to make implementing our ISSP a pleasure and of value to
the employee. Ease should not connote shallow or shoddy. Every aspect of the ISSP
planning will be thorough and rigorous. Even though AgileFine Software is a large
company with a proven track record for winning, we will not let our prior success lull us
Company and it 1,000 employees, as the fist line of defense, physical security is a top
priority. Access to company a spaces will require dual authentication passes be used to
gain entry into any AgileFine Software building with access controlled/limited based on
Procedures for Federal Information Systems and Organizations (NIST SP 800-53) (NIST,
2017). Non-employees must sign in and out and be escorted at all times. Contractor or
8
AgileFine Software
Having a good plan is a good first step but AgileFine Software is committed to
doing better then good. Experience has shown, time and again, that even the best plans need a
back up which is why our ISSP includes a contingency plan. The contingency plan is based
on the 7 steps process from Information Security Handbook: A Guide for Managers (NIST SP
By following the steps outline in Figure 1, AgileFine Software acknowledges that things may
not always go as planned or expected and that having a contingency plan, ready to execute,
ensures our system is protected and that we can continue to operate in businesses usual mode.
Figure 1
9
4: Implementation Management
The best plan poorly implemented is waste; wasted effort, wasted money, and wasted
employee good will and can set a company on a path of certain failure. AgileFine Software is
committed to ensuring this ISSP is properly implemented and easy to use without perturbing
normal business operations. One key to ensuring seamless implementation is prioritizing the
implementation process, starting with designating an implementation lead. This lead person
will be charged with managing the implementation schedule, budget execution and
Timely implementation of the ISSP is vital to its success. Implementation of this ISSP
is to commence no later than 14 working days after approval. Funding should be release
concurrent with ISSP approval and release of funds, at the direction of the Chief Information
Security Officer (CISO). Any delays or unexpected cost over runs will be reported
immediately to the CISO who, if necessary, will obtain schedule relief and additional budget
5: Risk Management
Risk management is where the cybersecurity rubber meets the road. It is unrealistic
and naïve to think all risk can be eliminated or prevented. The best that can be expected is to
manage the inevitable risk. Risk management is the process that acknowledges the
inevitability of cyber risk and is the process by which we have the best shot at managing
them.
10
AgileFine Software
Security Risk, using the four step iterative process: Frame (establish context and provide
common perspective on risk), Assess (identify, prioritize and estimate risk), Respond
(identifies, evaluate and decides on and implements courses of actions) and Monitor (provides
the means to verify compare and determine effectiveness) as illustrated in Figure 2 ((NIST,
2011).
Figure 2
11
6: Cost Management
AgileFine Software takes pride in its cost management practices. Every nickel wasted
is a chink in our company’s information security armor. One can easily and quickly spend
oneself out of business trying to build a fortress of cyber security. Our success in managing
Cost is more a tough a war than a balancing act. Every nickel is being eye by
someone for his or her respective effort. A process is required to put some structure into that
tough of ware. Our ISSP provides the foundation for cost balance. In developing the ISSP
we had to balance staffing versus cost, and had to look across the spectrum from building up
an in-house team to outsourcing, all along with an eye on driving cost down while proving the
desired level or performance. Our plan is comprehensive. It considers or weighs cost against
growth/creep and it has the necessary mechanisms in place to keep them in check or to seek
relief.
growth brings opportunities as well as risk. This ISSP is well thought out, comprehensive and
puts into place mechanisms and process to protect our data and information system.
practical so AgileFine Software is able to continues its stellar record of zero major cyber
incidents.
12
AgileFine Software
Processes help keep people out of jail and a good ISSP, like this one, provides very
good processes. Protecting the information systems and the data that rides on it, particularly
its confidentiality, integrity and availability is of upmost importance. See Figure 3 from SP
800-18.
13
As written, this ISSP provides the desired protection. Due to the every changing world of
cyber security, ISSPs will require frequent updates – and that’s a good thing. Acknowledging
the document will require updating and having the mechanisms in place to do just that makes
the ISSP more user friendly which increases the likelihood that it will be used which in turn
References:
14
AgileFine Software
Bowen, P., Hash, J. and Wilson, M. (2006, October). Information Security Handbook: A
Guide for Managers, SP 800-100. Retrieved from https://nvlpubs.nist.gov/nistpubs/legacy/sp/
Bowen, P., Chew, E. and Hash, J. (2007, January). Information Security Guide For
Government Executives. Retrieved from
https://csrc.nist.gov/CSRC/media/Publications/nistir/7359/final/documents/
Swan, M., Hash, J., and Bowne, P. (2006, February). Guide for Developing Security Plans for
Federal Information Systems, NIST 800-18 Rev1. Retrieved from
ttps://csrc.nist.gov/publications/detail/sp/
NIST. (2017, August). Security and Privacy Controls for Information Systems and
Organizations, SP 800-53. Retrieved from
https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-
draft.pdf
NIST. (20111, March). Managing Information Security Risk, SP 800-39. Retrieved from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
15