Running head: THE ROOKIE CHIEF SECURITY OFFICER 1

Term Paper

Student’s Name

Institutional Affiliation
THE ROOKIE CHIEF SECURITY OFFICER 2

Introduction

Information security is an important element of any firm that has IT infrastructure and

digital operations. It works in protecting organizational assets essential for business

operations from external and internal threats. As companies become increasingly reliant on

technology for efficiency and innovation, it is necessary to ensure that their investments do

not result in reputation and financial losses. Furthermore, the constantly evolving threat

landscape requires a dynamic and proactive approach to IT security.

Organization Chart

Successful IT security policies and initiatives depend on the participation of various

personnel each with particular complementary roles.

H – Oversees operations at a high level

C – Creates processes and procedures for performance of the function

I – Executes part of the function

E – Evaluates the effectiveness of the function

CIO

The Chief Information Officer is the highest IT related role in the digital forensics

function and works to delegate authority to the forensic investigators to facilitate

uninterrupted investigations.

The CISO works to develop and verify the specifications of security policies

implemented within the organization’s IT infrastructure.

The IT Security Compliance Officers works to ensure that the organizational IT

policies conform to regulatory and industry standards thereby minimizing data and litigation

risk.
THE ROOKIE CHIEF SECURITY OFFICER 3

Digital forensics professionals provide the technical expertise to the forensic

investigators if they are not in charge of investigations.

IT Systems and Maintenance Professional

Personnel in this role provide forensic investigators with details regarding the

technical aspects of the existing IT system, and the underlying components. They can also

help in identifying security issues through providing regular event logs.

IT Security Engineer

This role involves developing the data security policy which provides details about

the optimal design process.

Security Manager

The security manager provides details about the existing physical security systems for

the organization’s IT assets.

IT Privacy Professional

IT Procurement Specialist

The IT Procurement Specialist works to procure hardware and software assets for the

organization. They use their industry expertise to select the most optimal vendors based on

the business’ long-term goals.

The company’s security organizational structure conforms to the guidelines in the

Department of Homeland Security Essential Body of Knowledge as it features contributions

from the security manager, procurement professional, and a privacy professional at the lower

levels. These positions identify them as responsible for the successful implementation and

maintenance of policies from higher organizational levels. Through their participation in their
THE ROOKIE CHIEF SECURITY OFFICER 4

design, management, implementation, and evaluation of security programs, the organization

ensures delivery of optimal security measures as it increases their engagement in the process.
THE ROOKIE CHIEF SECURITY OFFICER 5

Part II: Request for Proposal Plan

Since the company has no prior expertise in managing the security for complex IT

infrastructure, it would like to solicit for qualified vendors to provide the required IT services.

The vendor’s primary role will be developing security processes and programs that secure the

firm’s information systems. Given the current expansionary strategy of the business and a

desire to future proof the infrastructure, the solution should cover both logical and physical

security of the IT systems. The solution provider should also provide a means for secure

communication and collaboration during the project’s life cycle.

Vendors interested in fulfilling the roles defined above will have to fulfill several

criteria before submitting proposals:

 Since the organization’s IT structure is distributed across various regions and offices,

the solutions proposed should provide comprehensive coverage in addition to a

centralized management tool

 The vendor should also provide employee training on how to use the solution in

addition to developing processes to help in determining and neutralizing IT threats

without affecting normal business operations

 The vendor should also provide after sales technical support to deal with challenges

that might arise in the new system

Once submitted, the proposals will be analyzed and a short list of qualified suppliers will

be identified. The analysis will evaluate the following factors:

 A comprehensive understanding of the organization’s business goals through

furnishing details on how the proposed solution would cover them adequately

 The vendors will also have to demonstrate technical competency in the use of

proposed solutions through providing referrals on similar completed projects

THE ROOKIE CHIEF SECURITY OFFICER 6

 The pricing variations between vendors for different parts of the project

Part III: Physical Security Plan

The physical security of a company’s IT infrastructure is complementary to the logical

defenses established. Gaps in the physical barriers of an IT system may facilitate direct

network access for intruders which would bypass most logical measures thereby

compromising company data. Furthermore, physical access increases the risk of damage or

loss of information as intruders have increased leeway for their malicious activities.

In this case, the physical protections will form the first line of defense against external

threats. The adequacy of provided solutions will depend primarily on the construction of the

building housing the physical IT hardware. The architectural design should also consider the

expected use and security requirements. Ideally, the building walls and fence should be made

of reinforced concrete. The windows should be located high and barred to prevent

unauthorized entry from outside. Additional preventative measures include electrified fencing

above the perimeter wall. Furthermore, data centers and other industrial server spaces require

continued ventilation which necessitates a stable power supply. There should also be clear

processes and procedures concerning emergency events such as fire, earthquakes, and floods

including fire extinguishers, alarms, and exits.

Physical access restrictions will also help in securing IT assets in the form of building

access controls such as RFID tags, biometric chips and smart cards. All employees will have

smart ID cards to limit access to authorized personnel. Biometric systems will be

implemented for the areas requiring additional security such as server and telecoms rooms

with access limited to few personnel. This can be implemented through a combination of

smart cards and either fingerprint or facial scans of the authorized personnel which limits the

security risk.
THE ROOKIE CHIEF SECURITY OFFICER 7

The final aspect of physical security involves the facility surveillance which will be

maintained throughout. The video surveillance should cover all possible entry points and can

aid it identifying suspicious activities in addition to providing a reference point for forensics

investigations. The facility will have CCTV cameras placed at multiple angles throughout the

facility. These wil include perimeter walls, rooftops, entrances, and walkways. There will also

be a centralized control room operated by qualified technicians. In some areas, cameras will

include additional features such as infrared, pan tilt, and motion sensing to minimize the

physical security risk while covering blind spots effectively. The identification and resolution

of blind spots will require extensive testing of camera coverage after installation. Moreover,

motion detectors linked to silent alarms should be installed stealthily along critical areas or

behind cameras to which can respond by recording all identified motion.

In addition to the above physical facility features, the compound will also require

adequately qualified security personnel for patrolling. These personnel will be responsible for

monitoring traffic into and out of the building and should provide fast responses when motion

detectors identify unusual activity.

The successful performance of the functions identified above maximizes the

effectiveness of the physical security plan as they complement each other.

Part IV: Enterprise Information Security Compliance Program

Plans and Control Objectives

In the last five years, there have been numerous reports of data breaches on

enterprise databases which has heightened awareness about the evolving nature of cyber

threats. Therefore, the Board of Directors has requested a robust security plan and policies. At

the network’s perimeter, the new system should have a demilitarized zone (DMZ). This will
THE ROOKIE CHIEF SECURITY OFFICER 8

be a logical subnetwork that will expose the organization’s services to the Internet to facilitate

secure remote access. The DMZ provides an additional security layer for the local network as

external users can only access authorized content in the DMZ. In case of intrusion, the DMZ

will also provide additional time to identify and respond to breaches before they compromise

internal networks. For the organization, the services most vulnerable to external attacks

include email, Domain Name System (DNS) servers, and the local area network.

Infrastructure in the DMZ can only have limited connectivity to particular hosts in the

internal network with communication occurring over secure encrypted channels. Therefore,

the DMZ will host the application firewall. A Classified Militarized Zone (CMZ) will be used

to host the Web servers among other services that interface to the Internet that do not form

part of the DMZ but may have sensitive information. Internet-facing components will

communicate via HTTPS port 443 which provides improved security through encryption. Wi-

Fi networks within the organization’s offices and facilities will restrict internal access to

authorized employees only through WPA security which employs a temporal key integrity

protocol for encryption.

Rapid technological innovations present new attack vectors for malicious users.

Therefore, maintenance of IT security becomes an ongoing process proactively responding to

anticipated threats. Most organizations achieve this through contracting third party

penetration testers that attempt to infiltrate network defenses through identifying and

exploiting weaknesses. The testers then provide recommendations on how the vulnerabilities

can be patched as soon as possible.

Information Security Policies for Data Security Assurance

Implementing an effective information security plan requires well-defined objectives

regarding security and strategy that has managerial support. In this case, the organizational
THE ROOKIE CHIEF SECURITY OFFICER 9

policy aims to achieve three main goals: restricting access to data and information assets to

authorized personnel to maintain confidentiality, maintaining the accuracy and integrity of

data and IT systems, and ensuring availability where users can access information when

necessary. In developing these policies, the NIST SP 800 provides industry standards for the

safeguarding of enterprise systems while the PCI DSS provides guidance in securing payment

solutions.

The authority and access control policy will help in maintaining the confidentiality

of data. Usually, security policies follow a hierarchical pattern where lower level employees

cannot share their limited information unless directly authorized. On the other hand, senior

managers may authorize sharing decisions. Essentially, employees will have authority over

their own work while project managers would can access files related to groups in which he

is participating. In some instances, users may need to access confidential data for effective

performance of their roles which requires granularity in the data attributes to facilitate

authorized access.

The organization will also maintain resource access logs for each server that they

manage. These logs include system access logs (for both successful and unsuccessful login

events), operating system access logs (which cover invalid attempts to access operating

system resources, and activity logs (tasks done by system administrators).

A comprehensive audit trail should be maintained of all activities that are carried out within

the system. A system event logging tool should keep a detail of these activities to be produced

to a security auditor. Apart from reviewing the implementation of guidelines like those

mentioned above, a security auditor should also review all security measures in place

including access control permissions for users. An audit trail can provide an organization with
THE ROOKIE CHIEF SECURITY OFFICER 10

an overview of how it system operations and can help in tracking past events should forensic

investigations be carried over a given reason.

The most unpredictable security factor for any information system is its users and

therefore also its biggest liability. It is very difficult to contain employee activity at all times.

However, conducting regular security training sessions with the employees should

considerably reduce the risks to the system posed by them employees can jeopardize security

either through deliberate or inadvertent actions. Training can help in preventing the

occurrence of the latter while the former will require an effective monitoring system that

should include background security checks on employees. A sense of ownership should be

cultivated among the employees so as to co-opt them into looking out for the security of the

system. (Peltier, 2016).

Steps for Defining Security Needs

Defining the security needs of the organization will be done in accordance to duties,

staffing, training, and processes. The steps followed in doing so will be as follows.

 Employee security credentials will be set to only have access to information that is

relevant to the employee’s duties.

 The staffing of the various departments will play apart in determining the type of

security needs in them. Manufacturing will for example need to be provided with only

physical access permissions.

 Security training will be done regularly so as to update the employee’s awareness to

the latest threats. This training will be aimed to all employees in every department as

will be mandatory as well.

 There being various processes that are carried out within the organization, they will

all be ranked in accordance to their importance. The most important and critical
THE ROOKIE CHIEF SECURITY OFFICER 11

processes will be provided with the highest level of security available. These include

human resources records, financial details and intellectual property.

Risk Management Plan

Effective risk management requires that those responsible understand all the potential

avenues of risk. Whichever way the risk might be presented, it is necessary that all measures

be taken to be prepared for every one of them identified. The preparation could take the

following into consideration.

 Risk avoidance can be done to intentionally reposition the organization from a

direction that is fraught with incomprehensible risks. This requires that a risk has to

have been identified first and the organization determine that it lacks ways to

surmount it. This is a preemptive measure that should shield the organization from

risks it has no capacity to effectively handle.

 Risk can transferred to a third party if the organization cannot avoid a risk and lacks

the capacity to handle it. Best practice has been to transfer the risk to an underwriter

like an insurance company. Once they have taken on the risk, they get to absorb its

effects on behalf of the organization at a fee.

 The organization can take on the risks itself by putting in place mitigation measures.

This way, it can face the risk but control them such they do not cause the organization

as much as they would have otherwise. Since the risks will obviously vary, the

mitigation measures should be encompassing a wide range of identified risks. With

risk mitigation, the organization is willing to take the brunt of a risk to a certain
THE ROOKIE CHIEF SECURITY OFFICER 12

extent. Usually, this will be to gain a fair understanding of it as they work to handle it.

(Layton, 2016).

When risks materialize, they can be indiscriminate in the extent of damage they cause.

However, an organization can really control the damage if they have their priorities defined.

These priorities take the form of the most critical processes of the organization. These

processes should they be severely affected would cause the most damage to the organization.

As such, they take precedence when it comes to setting priorities and they are accorded for

risk management resources over the rest. A sound risk management strategy then becomes the

one that has been anchored in effectively taking care of the organization’s most important

processes. Commonly, organizations would choose their intellectual property, communication

channels and valuable data like financial, client records and other processes that are central to

the organization’s continued operations. The risk management strategy will outline the

biggest risks facing them and the best possible way to handle them should they materialize.

With these priorities in place, an organization might still experience the effects of a risk but

limit get to them to the less important or urgent parts of its operations.

Effective risk monitoring will take shape with both technical and management

controls in place. The management will take an administrative position by ensuring the risk

monitoring apparatus has at its disposal the necessary resources. These resources can come in

the form of financial, personnel, authority and other requisite support. Risk monitoring is

expected to be an enterprise-wide endeavor and it would go on smoothly if the various

departmental heads support it. This can be ensured by efforts from the management.

Technical controls to accurately monitor risks will be anchored by frequent risk audits, and

effective early warning mechanisms. Risk audits provide the state of the system and will

identify the strengths and weaknesses of the organization. The audit results will then lead to
THE ROOKIE CHIEF SECURITY OFFICER 13

efforts to plug those weaknesses identified. System event logging can be used to provide a

baseline of normal activity. Any change in this baseline then becomes the early warning

mechanism that alerts to potential risks. The technical efforts at risk monitoring only become

successful when the management has provided an environment for it to be so. (Peltier,

2016).

References

IT Security Essential Body of Knowledge (EBK). (n.d.). Retrieved November 29, 2016, from

http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2007-12/ISPAB_Dec7-

BOldfield.pdf

NIST SP 800-39, Managing Information Security Risk. (n.d.). Retrieved March 2, 2016, from

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for

effective information security management. CRC Press.

Layton, T. P. (2016). Information Security: Design, implementation, measurement, and

compliance. CRC Press.