Sunteți pe pagina 1din 21

Ace Consulting

Ace Consulting

Dan Bedell

Cyber Management

CSOL 550

12/09/2019

Prof. Moore
Ace Consulting

Abstract

When conveying the topic of cybersecurity, we must focus on risk management.

According to the text, Cybersecurity for Executives: A Practical Guide, “cybersecurity is about

risk management. It is about protecting your business, your shareholders’ investments, and

yourself while maintaining competitive advantage and protecting assets.” (Touhill, 2014) Senior

leadership doesn’t have the liberty and freedom to dive deep into the technical aspects of

cybersecurity. It’s their responsibility to manage the everyday workings of the company and no

be tech savvy to have knowledge of key principles is great but not needed. If executives or

leadership has a hands-off approach to cybersecurity and leaves it up to the professionals or the

Participative Leadership Style would benefit an executive in leading cybersecurity branch of an

organization.

When developing your organizations Information Systems Security Plan (ISSP)

there are factors that must be taken into consideration. One of the main factors is the

implementation of an incident response program. According to SANS, “any incident is an

undesired event for an organization and having a well thought out incident response program

provides a layer of protection for an organization providing logical steps to keep the event from

escalating out of control.” (Behm, 2003) SANS lays out the incident response plan into six

phases: Preparation, Identification, Containment, Eradication, Recovery, and Follow-up. (Behm,

2003) The incident response plan with its six phases shall be executed by a team of people who

have the training, talent, and equipment to respond to incidents in a timely and effective manner.

Recommendations to investments shall be made in the cyber security program to protect

an organizations critical, financial, and reputation. Initial costs of implementation may be high
Ace Consulting

for the organizations inventory of PCs but, in comparison to a cyber-attack the cost of prevention

outweighs the potential risk with compromises the hardware, software, and steals PII and PHI of

employees and customers.


Ace Consulting

1: Company Summary

1.1 Enterprise Architecture

Ace Consulting is currently developed, design, launch, and maintain a cyber monitoring

service and to identify likely types of hardware/software needed. The existing Ace Consulting

cyber security program was developed and launched in 2001. Ace Consulting is determined that

the information systems need to be more secure, and better protect sensitive information

belonging to Ace Consulting, its customers, and employees for improved information security to

attract potential clients.

Ace Consulting is a small business that was founded in 1974 and is focused on project

management consulting and the implementation of best practice processes and solutions. Our

client base consists of other small and medium-sized businesses as well as local, state, and

federal government organizations which lack project management experience and expertise.

Ace Consulting is consolidated in its headquarters in Portland, Oregon with some workers offsite

in multiple states and working from client sites.

Our services include:

 Project Management

 Program Management (all phases)

 Process Improvement

 Human Capital Resource Management


Ace Consulting

 Project Management Training

2: Management

2.1 Roles and Responsibilities

According to lecture by McCready Leadership is defined as “the ability to influence a

group toward the achievement of goals.” (McCready, 2016) Although this definition of a leader

plays a part in management, it does not encapsulate the term management. McCready defines

management as “the use of authority inherent in designated formal rank to obtain compliance

from organizational members.” (McCready, 2016)

Perhaps a better way to describe management is by describing the basic operations in the

work of the manager. “First, a manager sets objectives. Second, a manager organizes. They

analyze the activities, decisions, and relations needed. They classify the work. Divide it into

manageable jobs. Third, a manager motivates and communicates. Fourth, a manager creates

way to measure progress. The manager creates targets and yardsticks. Finally, a manager

develops people, including themselves.” (Drucker, 2011) These five basic operations of a

manager will be the yardstick used to define a manager.

A manager has the integrity to take extreme ownership. “Managers take responsibility for

contribution. And integrity rather than genius is the basic requirement for managers.” (Drucker,

2011) Integrity is a basic requirement for management because managers must take ownership of

the good as well as the bad. This is extreme ownership; it is having the integrity to own the

situation even when things went badly.

The CIO is the approval authority for the Information Systems Security Plan.
Ace Consulting

The CISO is responsible for the development, implementation, and maintenance of the

Information Systems Security Plan and associated standards and guidelines. (Palmer, 2000)

The Compliance Officer shall be responsible for ensuring Ace Consulting Consulting’s

monitoring adheres to applicable laws and regulations. (Johnson, 2015) The position of

Compliance Officer within Ace Consulting shall be held by the Senior IT manager, and must be

approved by the CIO and CISO.

The Administrators and Managers are responsible for creating procedures that ensure

information at rest and in transit adhere to the Information Systems Security Plan. (SANS, 2014)

The Users are responsible for using the information, computers, and network systems only for

the intended purposes, and for maintaining the confidentiality, integrity, and availability of the

information accessed. (Palmer, 2000)

2.2 Planning Management

Cyber security, according to Touhill, “is a holistic set of activities that are focused on

protecting an organization’s vital information. Cyber security includes technologies employed to

protect information. Effective cyber security preserves the confidentiality, integrity, and

availability of information, protecting it from attack by bad actors, damage of any kind, and

unauthorized access by those who do not have a “need to know.”” (Touhill, 2014) The bad actors

include, but are not limited to nation-states, organized crime, hackers, hacktivists, insider threats,

and substandard products and services. (Touhill, 2014) Cyber security managers must be ready to
Ace Consulting

protect against all possible threats. They must be constantly learning about new technologies,

new threats, and at times, be creative in mitigating those threats. All this must be done in the

most cost-effective way.

2.3 Implementation Management

Ace Consulting shall keep a hybrid model for their cyber security operations. An

organization that adopts a hybrid model for cyber security operations will have a small in-house

staff that contributes to cyber security operations as well as a robust managing staff to oversee

the operations of not only the in-house staff but also the contractors. Using the hybrid model the

organization will be able to save money on payroll by outsourcing the bulk of the cyber security

operations to contractors. The hybrid model will also cut the cost of annual training and

maintaining a professional IT staff. The Implementation Management POC shall be the CISO.

2.4 Risk Management

To executives, the cyber security managers may seem to spend large amounts of funds

while producing no products. The cyber security manager must seek to limit costs while also

keeping the risks to the enterprise system low. When justifying costs to executives, the cyber

security manager may define cyber security according to Touhill, “Cyber security is about risk

management. It is about protecting your business, your shareholders’ investments, and yourself

while maintaining competitive advantage and protecting assets.” (Touhill, 2014)

Making cyber security about risk management helps nontechnical managers better

understand the monetary investment into cyber security. Cyber security does not produce a

product to sell to customers; rather it protects the organizations current investments. Those

investments may include employee and customer health information, banking information, or

corporate proprietary information that makes the company millions of dollars.


Ace Consulting

2.5 Human Resource Management

The Human Resources Management shall be responsible for creating and enforcing the

rules of behavior. The rules of behavior are an official document which all persons with access

to the system must read and sign that they understand the expectations and responsibilities of

their behavior on the organizations systems. (Swanson, 2006) Once they sign, they have

acknowledged that they have read and agreed to follow the rules of behavior. By signing they

also recognize that they will be held accountable for any abuses or negligence in not following

the rules of behavior. The POC for the Human Resources Management shall be the President of

Human Resources Department.

2.6 Cost Management

The manager’s greatest concern has always been and shall always be the organizations

economic budget. Cyber security does not produce a product that makes money. Cyber security

spends money to protect the organization from bad actors. Cyber security managers must

objectively show how their contributions save the organization money in both the short and long

terms through the application of security mechanisms.

Business management is always about financial profits. Cyber security management is

about protecting the information that allows the business managers to make those profits.

Although it appears at first look that business management and cyber security management are at

odds with each other over making money and spending money, the reality is that they must work

in concert with each other for the organization to reach its full monetary potential.

3: Planning

3.1 Information Security Implementation


Ace Consulting

An organization needs each employee to have the necessary access to the network in

order to complete production. This access must be balanced with the necessity to protect

data loss from multiple threats. To accomplish this task the organization will require an

information security plan and have that plan properly governed. Information governance is

about balancing the business objectives with the information security requirements of the

organization.

3.1.1 Physical security:

Physical security shall include Closed Captioned Television (CCTV), dead bolt locks on

doors, a security alarm system for the building, and a security patrol officer for the building and

parking structure. The POC for physical security policy shall be the CISO.

3.1.2 Access control: Access control to the building and department sections shall be

determined by access badges that must always be worn. The access badges will be coded to a

scramble keypad that must be scanned and have the proper access code entered. To access user

stations a Common Access Card (CAC) must be entered into a card reader and have the unique

access code entered. The POC for access control policies shall be the CISO.

3.1.3 Website Data Security: Website Data Security shall be the responsibility of the

CISO. The CISO shall be the POC for the Website Data Security policy.

3.1.4 Mobile and Cloud service: Mobile devices that are not provided by Ace

Consulting shall not be permitted to connect to the information system. Ace Consulting shall
Ace Consulting

back-up all data to an off-site Cloud service. The POC for the Mobile and Cloud service shall be

the CISO.

3.1.5 Timely Integration of Information: Interconnecting systems owned or operated by

other entities, the following authorization for the connection to other systems or the sharing of

information must be provided;

 Name of system

 Organization

 Type of connection

 Authorizations for interconnection

 Name and title of authorizing officials

 Date of agreement

 Certification and accreditation status of system

3.1.6 Reliable Communication:

3.1.7 System Development and Maintenance: The deadline for completion of all system

security plans shall be December 31, 2019. This date shall be updated when the plan is annually

reviewed and updated. When updated, the version shall be added. Each review shall contain the

date the authorizing official (CIO), or the designated approving authority (CISO) approved the

plan. Approval documentation shall be on file as part of the plan.

System security plans will be reviewed on an annually basis for any changes, in status,
Ace Consulting

functionality, design, etc. This document is critical for system certification activity. Some

information that will be included in the review are; Change in information system owner

 Change in including, information system, architecture, status.

 Changes in system interconnections and scope

 Change in authorizing official/certifications

3.2 Contingency Planning: A successful contingency program will have a well laid out

contingency plan. Using steps in a training program that requires planned testing and planned

exercises followed by review and an update plan will prepare the organization in the event of a

disastrous loss of data and/or capabilities. “The best risk management programs have well-

defined processes, well-trained and motivated employees who understand and implement the

program, and active leadership who maintains ownership over the risk management program.”

(Touhill, 2014)

3.2.1 Natural Calamities: In the event of natural calamities that cause major

damages to the Information System the POC shall be the CISO.

3.2.2 Power Outage: In the event of a power outage a diesel-powered generator

shall turn on within five seconds. These generators shall be tested monthly in order to prevent

the diesel fuel from becoming unusable. The POC for the diesel-powered generators for back-up

power shall be the CISO.


Ace Consulting

3.3 Business Continuity Plan: Design, development, licensing, and hosting of Ace

Consulting’s new services and information systems hardware/software needed. The portfolio

will analyze all current contacts and determine target demographics for future and potential

clients.

The following criteria shall be met;

 Monitoring services

 List of all types of hardware/software needed

 User-friendly GUI environment

 Ability to migrate current information systems into new information system

 Information system shall be changed/modified easily by Ace Consulting personnel

 All software/licensing will be included in the scope of project

 Information system should be compatible with all current technologies and easily

upgradeable

 Performing a complete testing process on the IS and database to ensure functionality

4: Implementation Management

4.1 Proposed Timeline/Execution: Project initiation phase must be completed by

December 31, 2020.


Ace Consulting

Project planning phase must be completed by May 15, 2020. Project planning phase will

determine the timeline/schedule for the remaining phases of the project.

4.2 Budget: All proposals must include proposed costs to complete the tasks described in

the project scope. Costs should be stated as one-time or non-recurring costs (NRC) or

monthly recurring costs (MRC). Pricing should be listed for each of the following items

in accordance with the format below:

5: Risk Management

Risk Management is the process of managing risks to agency operations (including

mission, functions, image, or reputation), agency assets, or individuals resulting from the

operation of an information system. It includes risk assessment, cost-benefit analysis, the

selection, implementation, and assessment of security controls, and the formal authorization to

operate the system. The process considers effectiveness, efficiency, and constraints due to laws,

directives, policies, or regulations. (Swanson, 2014) The POC for risk management shall be the

CISO.

5.1 Risk Identification: To determine the inherent risk to the organization five categories

were assessed; technologies, connections, transmission, mobile products and technology

services, and external threats.

5.2 Risk Assessment: The risk level has been determined to be moderate for technologies

and connection types, significant for delivery channels, minimal for online/mobile products and

technology services, minimal for organizational characteristics, and significant for external
Ace Consulting

threats. The overall inherent risk for the organization is minimal.

5.3 Analysis & Prioritization: The “normal” cyber security approaches to identify and

assess vulnerabilities within the cyber infrastructure often are conducted in the form of best

practices. These best practices are often developed through trial and error in mitigating

vulnerabilities. Furthermore, “normal” cyber security approaches are beginning to implement a

scientific method approach and taking less of an artistic approach. The “normal” approach is

often conducted with the intent of focusing efforts to testing known security controls, and then

searching for unknown vulnerabilities.

The “hacker” cyber security approaches may often be similar in appearance, but differ in

that hackers tend to take more of a creative approach to testing cyber infrastructure. This

creativity is needed in order for black hat hackers to penetrate into a denied system to exploit the

system. Additionally, hackers often look for the path of least resistance into a system. They will

often choose to find alternative non-conventional approaches to solving problems, because of the

necessity of having to avoid the “textbook” approaches taken by “normal” cyber security

technicians.

5.4 Mitigation Planning, Implementation & Monitoring: Security controls shall be in

place to mitigate vulnerabilities. Auditors shall conduct continuous monitoring to assess

risk to the system. Security controls shall be implemented as required to mitigate future

vulnerabilities. The CISO shall have approval authority for implementing security

controls to mitigate vulnerabilities.


Ace Consulting

5.5 Risk Tracking: The auditors must always look at what controls are in place to

mitigate risks and evaluate the efficiency of those controls. (USD, 2016) This is what auditing

the system is all about, recognizing the controls that have been in placed to mitigate specific

risks and testing if they are in fact protecting the system from those risks. Once the auditors

have verified the controls that are in place are doing what they are supposed to be doing an

auditor is then going to test the system for other known vulnerabilities that are new or may have

been overlooked in the past. Once they have their results the auditors will be required to

determine whether or not the company wants to pay to update current controls, add new controls,

or accepting the risk to the system by not emplacing any controls. What controls to focus on will

be determined early on in the process and will be defined in the audit focus. Since the auditors

have finite resources, they will not be able to audit everything, rather they will focus the audit on

specific controls in order to be the most productive and cost effective.

5.6 Classification of Risk: The system shall have impact level of low, moderate, or high

in the security categorization depending on the criticality or sensitivity of the system and any

major applications the general support system is supporting.

5.8 Business Driven Risk: Business management is always about financial profits.

Cyber security management is about protecting the information that allows the business

managers to make those profits. Although it appears at first look that business management and

cyber security management are at odds with each other over making money and spending money,

the reality is that they must work in concert with each other for the organization to reach its full

monetary potential. The CIO shall be the approval authority for business-driven risk.
Ace Consulting

6: Cost Management

The cost per Personal Computer (PC) over a three-year period totals $1,535. The benefits

per PC over the same three-year period totals $5,113. This gives the organization a net benefit of

$3,377 per PC over a three-year period. This gives the organization a Return on Investment

(ROI) of 137%. The total period that it will take for the organization to recoup the expenses of

the three years of its investment in cyber security is 12 months.

6.1 Provide security infrastructure that reduces development costs: When factoring

the initial costs of implementation four categories were considered: hardware, software, IT labor,

services, & training, and end-user labor & training. For each of the four categories a one-time

initial cost is assessed along with an annual on-going cost to maintain each category. The total

one-time initial cost for all categories has been determined to be $1,345. The annual on-going

cost for all four categories is $164. Over a three-year period, this adds up to the $1,736 cost per

PC.

6.2 Reduce operational costs: The IT labor/services TCO savings is determined using

five categories: PC management services, help desk (tech support), server & network

management services, application development, and administrative & other. Each of these five

categories show an annual on-going benefit per PC. The total monetary benefit for a one-year

period is $745 with a $2,235 monetary benefit over a three-year period.

6.3 Reducing development costs: There are other direct cost savings according to the

ROI: IT savings and business savings. The IT savings categories include software- clients,

software- servers, hardware, IT services, power/electricity usage, and other IT costs. These

benefits have a small one-time cost savings of $75 per PC with a $94 annual on-going cost
Ace Consulting

savings per PC. The business savings has three separate categories to include: travel expenses,

business services, and other business expenses. The business savings comes to a total of $50

over a three-year period per PC. The total cost savings over a three-year period is $406 per PC.

6.4 Cost of Security: The cost per Personal Computer (PC) over a three-year period

totals $1,736.

6.5 Planned costs: The benefits per PC over the same three-year period totals $4,113.

This gives the organization a net benefit of $2,377 per PC over a three-year period. This gives

the organization a Return on Investment (ROI) of 137%. The total period of time that it will take

for the organization to recoup the expenses of the three years of its investment in cyber security

is 12 months.

When factoring the initial costs of implementation four categories were considered:

hardware, software, IT labor, services, & training, and end-user labor & training. For each of the

four categories a one-time initial cost is assessed along with an annual on-going cost to maintain

each category. The total one-time initial cost for all categories has been determined to be

$1,245. The annual on-going cost for all four categories is $164. Over a three-year period this

adds up to the $1,736 cost per PC.

6.6 Potential costs: The Key Performance Indicator (KPI) is assessed using four

categories: sales/marketing performance, business management effectiveness, supply/operations

performance, and technology effectiveness. With the implementation of the cyber security

program the first three categories will remain the same. However, the technology effectiveness

category will see an increase of 27.1% over a three-year period. This will result in an overall

organizational improvement of 6.8% in organizational performance.


Ace Consulting

6.7 Comparative costs with industry: It is assessed that the initial investment will cost

slightly less than the net benefits of the first year. Each subsequent year the net benefits will out

weight the costs of maintaining the cyber program. The costs and benefits are only projected out

to three years because of the speed at which technology advances. Every three years the cyber

security programs technology will need to be reassessed to determine if another large initial

investment will need to be made to replace outdated hardware and software.

7: Analysis & Recommendation Management

7.1 Key Elements: Finding the most well-rounded cyber security staff for the

organization must be done in a holistic manner. The employer must consider a potential

employees educational background, work experience, special skills, and certifications. Rarely

does an employee meet all of the requirements that an employer is looking for. Therefore, the

employer must consider how well this person will fit into the organizations culture, and how well

they are able to learn new technologies and techniques. If the person has the correct attitude of,

“I will work hard and learn anything that I don’t know,” then they are starting off on the right

foot. There will always be a certain amount of intelligence that is required to do cyber security;

however a hard worker will always outperform someone that is knowledgeable and lazy.

Organizations should keep a hybrid model for their cyber security operations. An

organization that adopts a hybrid model for cyber security operations will have a small in-house

staff that contributes to cyber security operations as well as a robust managing staff to oversee

the operations of not only the in-house staff but also the contractors. Using the hybrid model the

organization will be able to save money on payroll by outsourcing the bulk of the cyber security
Ace Consulting

operations to contractors. The hybrid model will also cut the cost of annual training and

maintaining a professional IT staff.

7.2 Conclusion and Future Work: There are a few practical and obvious ways to

ensure that personnel are following the “Spirit” of the NIST SP 800-18. First, require all

personnel to read and sign the rules of behavior before they are allowed access to the

organizations systems. This will ensure that personnel know and understand what behaviors are

acceptable and which are not. Second, ensure that personnel receive training what safe

computing in an office environment as well as at home. This training will further reinforce the

expectations, rules, and requirements of what behavior is acceptable on the organizations

information systems and what behaviors are deemed unacceptable. Last, I think that blocking

access to non-essential content is a good step in the right direction to keep personnel from being

tempted from abusing the organizations information systems. Examples of content that would be

blocked include pornography, social media accounts, gaming sites, and video streaming sites.

By blocking such sites from being accessed in the first place it will prevent personnel from

access unacceptable content and breaking the rules of behavior.

The ISSP will require more than just an incident response plan. Some of these plans

include a Disaster Recovery Plan (DRP), Information System Contingency Plan (ISCP), and a

Continuity of Operations Plan (COOP). (Swanson, 2010) The DRP applies to major, usually

physical, disasters. Examples include earthquakes, firestorms, floods, and hurricanes. The ISCP

provides procedures for the assessment and recovery of a system following a system disruption.

The COOP focusses its efforts to restoring mission essential functions at an alternate site and

continuing to perform those functions for up to 30 days. (Swanson, 2010)

Having policies and plans in place will allow the organization to react in a timely and
Ace Consulting

effective manner. The organization will have a greater ability to ensure the confidentiality,

integrity, and availability of the organization’s information as well as the customer’s

information. Having these plans in place is also significant, because in the event that an incident

occurs, the organizations employees will have a greater understanding of their expectations.

People will be less likely to be running around like a chicken with their heads cut off.

8: Student Assessment of ISSP to Cyber Management:

As a leader of a cybersecurity team in the event of any type of attack, training and

preparation and protection that have been set up using policy and standards shall mitigate any

potential threats. But, in the event of a successful attack leadership shall take the appropriate

steps to stop the spread of damage to one’s organization. If an attack is successful the potential

for damage is great, the need for leadership to communicate the findings, cause, loss and remedy

to an attack to executives is key. A proper report generated can help spread the correct

information to executives and stakeholders to prevent unwanted losses in revenue. ISSP can

provide the goals companywide and how an organization will achieve goals. ISSP help all

employees from executives to new hires understand their responsibilities when dealing with

security. These plans can help the company grow in the future and the ability handle any

potential issues in the future.

References:
Ace Consulting

Behm, Robert L. (2003). The Many Facets of an Information Security Program. SANS Institute

InfoSec Reading Room. Retrieved from: https://www.sans.org/reading-

room/whitepapers/awareness/facets-information-security-program-1343.

Touhill, Gregory J., and C. Joseph Touhill. (2014). Cybersecurity For Executives: A Practical

Guide. John Wiley & Sons, Inc.: Hoboken, New Jersey.

Swanson, Marianne, Joan Hash, and Pauline Bowen. (2006). Guide for Developing Security

Plans for Federal Information Systems. NIST Special Publication 800-18 Revision 1.

Gaithersburg, MD.

Swanson, Mariannne, Pauline Bowen, Amy Wohl Phillips, Dean Gallup, and David Lynes.

(2010). Contingency Planning Guide for Federal Information Systems. NIST Special Publication

800-34 Rv. 1. Retrieved from: https://ole.sandiego.edu/bbcswebdav/pid-1198703-dt-content-rid-

3328090_1/courses/CSOL-550-MASTER/NISTPUB.pdf.

Drucker, Peter F. (2011). Management Tasks, Responsibilities, Practices. Routledge Taylor &

Francis Group: New York, New York.