Running head: AgileFine Software

AgileFine Software

Ted Huskey

Cyber Management

CSOL 550

09 July 2018

Prof. D. Biedermann
Running head: AgileFine Software
AgileFine Software

Table of Contents

Abstract………………………………………………………………………………pg 3

1: Company Summary………………………………………………….……………pg 4

2: Management………………………………………………………….……………pg 4

3: Planning Management……………………………………………….………….…pg 6

4: Implementation Management…………………………………………………...…pg 9

5: Risk Management……………………………………………………………….…pg 9

6: Cost Management………………………………………………………………….pg 11

7: Recommendation…………………………….…………………………………….pg 11

8: Student Assessment of ISSP alignment to Cyber Management ….…………….…pg 12

References:…………………………………………………………………………....pg 14

3
 Abstract

This Information Systems Security Plan (ISSP) provides the foundation for

determining the security required to protect AgileFine Software’s information systems. This

ISSP will describe the system, down to the component level; articulate the security boundaries

and layout roles and responsibilities. Just as the risk of cyber threats constantly evolve, so to

must this ISSP. This ISSP should be considered a living document to be updated in concert

with threats and in concert with significant changes in AgileFine Software’s security policies.

4
AgileFine Software

1: Company Summary

AgileFine Software is a well-established industry leading payroll software company

headquartered in the state of California in the United States of America. In 25 short years, AgileFine

has grown to over 1,000 employees with offices in every major US and Canadian city. Given its

sustained and consistent growth, AgileFine Software intends to open over 25 offices in Mexico and

South America in the coming decade.

Given the sensitive nature of the information used and processed by its software, AgileFine

Software is committed to provide the very best protection for the very important payroll and personnel

information processed by our software every minute of the day of every year. As a recent winner of

the Global Payroll Award, AgileFine Software is a leader in providing the best security for our

customers’ precious data.

1.1 Enterprise Architecture

As a physically large and geographically dispersed company, AgileFine Software

relies heavily on our client server architecture to provide persistent network availability,

which in turn allows all 1,000 employees, assured access. Offsite and remote employs, as

well as customers, are able to access the company network (commiserate to their permissions)

day or night, confident that the data, from their terminal all the way through to the redundant

offsite backup facilities, is secured and protected. The enterprise architecture is robust and

adaptive and provides flexibility and scaling commiserate to the network load/demand.

2: Management

Management plays a critical role in the development, support and implementation of

the Information Systems Security Plan (ISSP) (Bowen, Chew and Hash, 2007). Human

nature being what it is, employees take their lead from their leaders and AgileFine Software

5
leaders are committed to supporting every aspect of the ISSP including dissemination down to

the employees. Management will do everything it can to empower employees to take more

active roll in implementing and supporting the ISSP. Dedicated training, kicked off by the

CISO will be implemented as part of this ISSP to ensure employees can see, first hand, that

management is behind this ISSP. The better management explains roles and responsibilities

the better the chance for greater employees support, engagement and company success.

2.1 Roles and Responsibilities

Management is not simply one or two or three people but rather, when it comes

to this Information Systems Security Plan, ‘management’ is every person who contributes to

the development and implement of the ISSP. Support of the ISSP is not limited exclusively to

management. Regular, non-leadership employees, have role to play as well. Theirs is perhaps

the most important role – the role of implementer. If this ISSP does not have dedicated

wholesale employee buy-in it is at risk of not be completely and comprehensively supported

and implemented. Failure to properly implement the ISSP will have detrimental affects. ISSP

support is an all hands evolution. Table 1 is a listing of ISSP management team with a brief

description of their role (derived from the preeminent authoritative ISSP source, NIST SP

800-18, Guide for Developing Security Plans for Federal Information Systems (NIST, 2006).

This is a somewhat abbreviated listing. A more complete and thorough listed can be found in

the applicable section of SP-800-18.

6
AgileFine Software

AgileFine Software ISSP Management Team

Role Responsibility

Responsible for developing and maintaining an company-wide

Chief Information Officer (CIO)
information security program

Company official with statutory or operational authority for

specified information and responsibility for establishing the
Information System Owner
controls for its generation, collection, processing, dissemination,
and disposal.

Company official responsible for serving as the CIO's primary

Senior Agency Information
liaison to the agency's information system owners and
Security Officer (SAISO)
information system security officers.

Company official assigned responsibility by the SAISO,

Information System Security authorizing official, management official, or information system
Officer owner for ensuring that the appropriate operational security
posture is maintained for an information system or program.

The authorizing official (or designated approving/accrediting

authority as referred to by some agencies) is a senior
management official or executive with the authority to formally
Authorizing Official (AO)
assume responsibility for operating an information system at an
acceptable level of risk to agency operations, agency assets, or
individuals

Table 1

3: Planning

Every stage in the development of the ISSP is important but the planning stage, the

first critical step, literally sets the stage. It is in this stage where AgileFine Software security

teams looks across the entire organization’s information system, the services it needs to

provide, potential threats it will face and in doing develops an understanding of the risks,

threats which in turn help define the amount of work and resources required to provide the

security commiserate to the threats.

7
 3.1 Information Security Implementation

The best tool is of little value if it cannot be, relatively, easily to use.

AgileFine Software ISSP is designed to be of great value starting with being very intuitive

to the user. The ease of use is jus the first step in ensuring proper implementation.

AgileFine Software’s goal is to make implementing our ISSP a pleasure and of value to

the employee. Ease should not connote shallow or shoddy. Every aspect of the ISSP

planning will be thorough and rigorous. Even though AgileFine Software is a large

company with a proven track record for winning, we will not let our prior success lull us

to substandard performance or compromise the level of attention to detail.

3.1.1 Physical security:

Given the considerable physical footprint of the AgileFine Software

Company and it 1,000 employees, as the fist line of defense, physical security is a top

priority. Access to company a spaces will require dual authentication passes be used to

gain entry into any AgileFine Software building with access controlled/limited based on

an employees’ approved access in alignment with Security Controls and Assessment

Procedures for Federal Information Systems and Organizations (NIST SP 800-53) (NIST,

2017). Non-employees must sign in and out and be escorted at all times. Contractor or

temporary hire consultants will be required to sign an non-disclosure agreement (NDA)

and wear a clearly discernable ‘authorized’ badge or ID tag.

8
AgileFine Software

3.2 Contingency Planning

Having a good plan is a good first step but AgileFine Software is committed to

doing better then good. Experience has shown, time and again, that even the best plans need a

back up which is why our ISSP includes a contingency plan. The contingency plan is based

on the 7 steps process from Information Security Handbook: A Guide for Managers (NIST SP

800-100) (NIST, 2006). See Figure 1.

By following the steps outline in Figure 1, AgileFine Software acknowledges that things may

not always go as planned or expected and that having a contingency plan, ready to execute,

ensures our system is protected and that we can continue to operate in businesses usual mode.

Figure 1

9
4: Implementation Management

The best plan poorly implemented is waste; wasted effort, wasted money, and wasted

employee good will and can set a company on a path of certain failure. AgileFine Software is

committed to ensuring this ISSP is properly implemented and easy to use without perturbing

normal business operations. One key to ensuring seamless implementation is prioritizing the

implementation process, starting with designating an implementation lead. This lead person

will be charged with managing the implementation schedule, budget execution and

coordinating with division leads.

Timely implementation of the ISSP is vital to its success. Implementation of this ISSP

is to commence no later than 14 working days after approval. Funding should be release

concurrent with ISSP approval and release of funds, at the direction of the Chief Information

Security Officer (CISO). Any delays or unexpected cost over runs will be reported

immediately to the CISO who, if necessary, will obtain schedule relief and additional budget

as needed to keep the effort on track.

5: Risk Management

Risk management is where the cybersecurity rubber meets the road. It is unrealistic

and naïve to think all risk can be eliminated or prevented. The best that can be expected is to

manage the inevitable risk. Risk management is the process that acknowledges the

inevitability of cyber risk and is the process by which we have the best shot at managing

them.

AgileFine Software follows the guidance in NIST SP 800-39, Managing Information

10
AgileFine Software

Security Risk, using the four step iterative process: Frame (establish context and provide

common perspective on risk), Assess (identify, prioritize and estimate risk), Respond

(identifies, evaluate and decides on and implements courses of actions) and Monitor (provides

the means to verify compare and determine effectiveness) as illustrated in Figure 2 ((NIST,

2011).

Figure 2

11
6: Cost Management

AgileFine Software takes pride in its cost management practices. Every nickel wasted

is a chink in our company’s information security armor. One can easily and quickly spend

oneself out of business trying to build a fortress of cyber security. Our success in managing

cost can be attributed to our sense of balance.

Cost is more a tough a war than a balancing act. Every nickel is being eye by

someone for his or her respective effort. A process is required to put some structure into that

tough of ware. Our ISSP provides the foundation for cost balance. In developing the ISSP

we had to balance staffing versus cost, and had to look across the spectrum from building up

an in-house team to outsourcing, all along with an eye on driving cost down while proving the

desired level or performance. Our plan is comprehensive. It considers or weighs cost against

growth/creep and it has the necessary mechanisms in place to keep them in check or to seek

relief.

7: Analysis & Recommendation Management

AgileFine Software is projected to have a sustained business growth trajectory. That

growth brings opportunities as well as risk. This ISSP is well thought out, comprehensive and

puts into place mechanisms and process to protect our data and information system.

Recommend this planned be approved, funded and implemented as soon as reasonably

practical so AgileFine Software is able to continues its stellar record of zero major cyber

incidents.

12
AgileFine Software

8: Student Assessment of ISSP to Cyber Management

Processes help keep people out of jail and a good ISSP, like this one, provides very

good processes. Protecting the information systems and the data that rides on it, particularly

its confidentiality, integrity and availability is of upmost importance. See Figure 3 from SP

800-18.

13
As written, this ISSP provides the desired protection. Due to the every changing world of

cyber security, ISSPs will require frequent updates – and that’s a good thing. Acknowledging

the document will require updating and having the mechanisms in place to do just that makes

the ISSP more user friendly which increases the likelihood that it will be used which in turn

should help protect the system.

References:

14
AgileFine Software

Bowen, P., Hash, J. and Wilson, M. (2006, October). Information Security Handbook: A
Guide for Managers, SP 800-100. Retrieved from https://nvlpubs.nist.gov/nistpubs/legacy/sp/

Bowen, P., Chew, E. and Hash, J. (2007, January). Information Security Guide For
Government Executives. Retrieved from
https://csrc.nist.gov/CSRC/media/Publications/nistir/7359/final/documents/

Swan, M., Hash, J., and Bowne, P. (2006, February). Guide for Developing Security Plans for
Federal Information Systems, NIST 800-18 Rev1. Retrieved from
ttps://csrc.nist.gov/publications/detail/sp/

NIST. (2017, August). Security and Privacy Controls for Information Systems and
Organizations, SP 800-53. Retrieved from
https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-
draft.pdf

NIST. (20111, March). Managing Information Security Risk, SP 800-39. Retrieved from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

15