acme, inc. issp · web viewacme, inc. issp. csol 550 final paper. eric wendt. july 8, 2018. acme,...
TRANSCRIPT
ACME, Inc.
ACME, Inc. ISSP
CSOL 550 Final Paper
Eric WendtJuly 8, 2018
ACME CYBER
Table of ContentsAbstract.......................................................................................................................................................3
1: Company Summary.................................................................................................................................5
2: Management...........................................................................................................................................8
2.1 Roles and Responsibilities..................................................................................................................8
2.2 Planning Management.....................................................................................................................11
2.3 Implementation Management.........................................................................................................11
2.4 Risk Management............................................................................................................................11
2.6 Audit Criteria...................................................................................................................................12
2.7 Hiring Auditors.................................................................................................................................12
3: Planning.................................................................................................................................................12
3.1 Information Security Implementation.............................................................................................12
3.1.1 Physical security:.......................................................................................................................13
3.1.2 Access control:..........................................................................................................................13
3.1.3 Website Data Security:.............................................................................................................13
3.1.4 Mobile and Cloud service:........................................................................................................14
3.1.5 Timely Integration of Information:...........................................................................................14
3.1.6 Reliable Communication:..........................................................................................................14
3.1.7 System Development and Maintenance:..................................................................................14
3.2 Contingency Planning......................................................................................................................14
Network Availability vs. System Protection...............................................................................................14
4: Implementation Management..............................................................................................................16
4.1 Proposed Timeline/Execution..........................................................................................................16
4.2 Budget.............................................................................................................................................16
5: Risk Management..................................................................................................................................16
5.1 Risk Identification............................................................................................................................16
5.2 Risk Assessment...............................................................................................................................16
Analysis......................................................................................................................................................17
1
ACME CYBER
ROI Features..............................................................................................................................................19
Conclusions and Recommendations..........................................................................................................20
5.3 Analysis & Prioritization...................................................................................................................21
5.4 Mitigation Planning, Implementation & Monitoring........................................................................21
5.5 Risk Tracking....................................................................................................................................21
5.6 Classification of Risk.........................................................................................................................21
5.7 Data Driven Risk...............................................................................................................................21
5.8 Business Driven Risk........................................................................................................................21
5.9 Even Driven Risk..............................................................................................................................21
6: Cost Management.................................................................................................................................21
6.1 Provide security infrastructure that reduces development costs....................................................21
6.2 Reduce operational costs.................................................................................................................21
6.3 Reducing development costs...........................................................................................................21
6.4 Cost of Security................................................................................................................................22
6.5 Planned costs...................................................................................................................................22
6.6 Potential costs.................................................................................................................................22
6.7 Comparative costs with industry.....................................................................................................22
7: Analysis & Recommendation Management..........................................................................................22
7.1 Key Elements...................................................................................................................................22
7.2 Conclusion and Future Work...........................................................................................................22
8: Student Assessment of ISSP to Cyber Management..............................................................................22
Works Cited...............................................................................................................................................23
2
ACME CYBER
Abstract
The objective of this Information System Security Plan (ISSP) is to improve protection of information
technology (IT) resources at ACME, Inc. Cyber-attacks have the potential of not only disrupting company
operations, but of dampening the financial prospects of the company. A severe cyber-attack could even
threaten an organizations survival. One study has shown that over 60 percent of companies who
experience a serious cyber-attack fail within 6 months (citation). An ISSP is meant to set in place a plan
to protect the company’s financial and informational assets as well as prepare for an adequate response
in the aftermath of an attack. In addition, this document is also to set in place not only technical
requirements but also information system management best practices.
The ISSSP is more than a static document: it is a process by which ACME, Inc. can evaluate the
information security systems and management practices it has in place. It is an opportunity to evaluate
its emergency response and contingency plans. It is also the most cost-effective security protection for a
system. The ISSP has clearly delineated the responsibilities of all staff who access the system for their
daily tasks. As a joint effort of CISO and company executives as well as IT Team and regular staff, it is a
process that has involved participation by all staff and this has already engaged staff in consideration of
information security best practices at all levels of the organization.
The purpose of this security plan is to provide an overview of the security of the ACME Inc. and describe
the controls and critical elements in place or planned for, based on NIST Special Publication (SP) 800-53
Rev. 3, Recommended Security Controls for Federal Information Systems. Each applicable security
control has been identified as either in place or planned. This SSP follows guidance contained in NIST
Special Publication (SP) 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information
Systems, February 2006.
3
ACME CYBER
This System Security Plan (SSP) provides an overview of the security requirements for ACME, Inc. and
describes the controls in place or planned for implementation to provide a level of security appropriate
for the information processed as of the date indicated in the approval page.
Note: The SSP is a living document that will be updated periodically to incorporate new and/or modified
security controls. The plan will be revised as the changes occur to the system, the data or the technical
environment in which the system operates.
The purpose of the system security plan (SSP) is to provide an overview of federal information system
security requirements and describe the controls in place or planned to meet those requirements. The SSP
also delineates responsibilities and expected behavior of all individuals who access the information
system and should be viewed as documentation of the structured process for planning adequate, cost-
effective security protection for a major application or general support system. It should reflect input
from various managers with responsibilities concerning the information system, including information
owner(s), system owner(s), system operator(s), and the information security manager. Additional
information may be included in the basic plan, and the structure and format organized according to
requirements.
Each SSP is developed in accordance with the guidelines contained in National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information
Technology Systems, and applicable risk mitigation guidance and standards.
4
ACME CYBER
1: Company Summary
1.1 Enterprise Architecture
The ACME, Inc. Enterprise Architecture (EA) Plan to fellow Michigan citizens, state of Michigan
employees and valued partners. Our EA effort has been a five-year journey that has seen many
ups and downs, resulting in significant maturation of our technology and planning approaches
(Eguren, 2000)
Looking across state government, we are continuously reflecting on, planning for and
delivering alignment between public service needs and technical investment decisions.
Information Architecture Information Architecture (IA) is the process of maturing and governing
the information needed to support the business processes and functions for state and cross-
boundary initiatives. IA spans organizational boundaries and builds on the requirements
identified in the PSA. It is primarily expressed in the form of standards for the creation of data
models, information flows and an analysis of the decision-making criteria for each of the
activities of the business. IA also addresses information access, data security, privacy and
business and information continuity. Assessment and Progress Michigan’s IA has grown
exponentially as a result of inter-agency collaboration on specific agency projects, as well as
related MDIT architecture and standards programs. The significant progress to date not only
marks the quality and success of existing programs but also establishes the baseline for
developing the Information Architecture approach.
1.2 Information Systems Categorization
5
ACME CYBER
FIPS 199 establishes security categories for both information and information systems. The
security categories are based on the potential impact on an organization should certain events
occur. The potential impacts could jeopardize the information and information systems needed
by the organization to accomplish its assigned mission, protect its assets, fulfill its legal
responsibilities, maintain its day-to-day functions, and protect individuals. Security categories
are to be used in conjunction with vulnerability and threat information in assessing the risk to
an organization.
FIPS 199 establishes three potential levels of impact (low, moderate, and high) relevant to
securing Federal information and information systems for each of three stated security
objectives (confidentiality, integrity, and availability). (Stine, Kissel, Barker, Fahlsing, & Gulick,
2008).
1.3 Information Systems Owner
An authorizing official must be identified in the system security plan for each system. This person is the
senior management official who has the authority to authorize operation (accredit) of an information
system (major application or general support system) and accept the residual risk associated with the 6
ACME CYBER
system. The assignment of the authorizing official should be in writing, and the plan must include the
same contact information listed in Section 3.3. (Swanson, Hash, & Bowen, Guide for Developing Security
Plans for Federal Information Systems, 2006).
One might assume that business operations and cybersecurity teams would naturally work
together towards achieving the shared goal of securing an organization’s data. But according to
a joint study between Dartmouth College, University of Pennsylvania, and University of
Southern California, there is a fundamental schism between business operations and security
(Shugg, 2016). This schism is not unrepairable, but it must be addressed if data protection is to
be achieved. The business operations side could be expressed like this: “No approach can ever
succeed without considering people – and as a profession we need to look beyond our
computers to understand the business, the culture of the organization, and, most of all, how we
can create a security environment which helps people feel free to actually do their job” (Biscoe,
2018). This business operations perspective might propose reducing network restrictions. A
cybersecurity specialist, on the other hand, might prefer sacrificing some of the freedom and
flexibility of individuals in order to achieve the larger goal of protecting the organization from
intrusion, theft, and exploitation. The schism between business operations and cybersecurity
could thus be summed up like this: flexibility vs. security or, put another way, flexibility vs.
standardization.
System personnel contacts include contact information for the system owner, authorizing official, other designated contacts, and the division security officer.
System Owner
7
ACME CYBER
Name: Address:
Title: Phone Number:
Agency: E-mail Address:
Authorizing Official
Name: Address:
Title: Phone Number:
Agency: E-mail Address:
Information Security Manager (ISM)
Name: Address:
Title: Phone Number:
Agency: E-mail Address:
(FDIC, 2017)
2: Management
2.1 Roles and Responsibilities
Pursuant to the Federal Information Security Management Act (FISMA) of 2002 and the
Office of Management and Budget (OMB) Circular A-130, Appendix III, Environmental
Protection Agency (EPA) requires employees and contractors fulfilling roles with significant
information security responsibilities to understand and have the capacity to carry out these
responsibilities. In response to this requirement, EPA has developed a procedure defining each
role and outlining necessary responsibilities to ensure the confidentiality, integrity, and
availability of EPA’s information and information systems. EPA Classification No.: CIO Approval
8
ACME CYBER
Date: CIO Transmittal No.: Review Date: Page 2 of 32 5. AUTHORITY Federal Information
Security Management Act of 2002 (FISMA), Public Law 107-347 as amended Office of
Management and Budget (OMB) Memorandum M-06-16, Protection of Sensitive Agency
Information OMB Circular A-130, Management of Federal Information Resources, revised
National Institute of Standards and Technology (NIST), Federal Information Processing
Standards Publication (FIPS) 200, Minimum Security Requirements for Federal Information and
Information Systems, March 2006, as amended EPA CIO 2150.3, Environmental Protection
Agency Information Security Policy, August 6, 2012 and all subsequent updates or superseding
directives 6. ROLES AND RESPONSIBILITIES This section provides roles and responsibilities for
personnel who have IT security or related governance responsibility for protecting the
information and information systems they operate, manage and support. The National Institute
of Standards and Technology (NIST) information security related publications will be a primary
reference used to develop EPA procedures, standards, guidance and other directives in support
of EPA policy. EPA directives will supplement, clarify, and implement NIST, OMB and other
higher level directives for EPA’s systems, operations, and environments. a) The EPA
Administrator is responsible for: 1) Ensuring that an Agency-wide information security program
is developed, documented, implemented, and maintained to protect information and
information systems. 2) Providing information security protections commensurate with the risk
and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption,
modification, or destruction of information collected or maintained by or on behalf of the
Agency, and on information systems used, managed, or operated by the Agency, another
9
ACME CYBER
Agency, or by a contractor or other organization on behalf of the Agency. 3) Ensuring that
information security management processes are integrated with Agency strategic and
operational planning processes. 4) Ensuring that Assistant Administrators (AAs), Regional
Administrators (RAs) and other key officials provide information security for the information and
information systems that support the operations and assets under their control. 5) Ensuring
enforcement and compliance with FISMA and related information security directives. 6)
Delegating to the Assistant Administrator, Office of Environmental Information/Chief
Information Officer (CIO) the authority to ensure compliance with FISMA and related
information security directives. EPA Classification No.: CIO Approval Date: CIO Transmittal No.:
Review Date: Page 3 of 32 7) Ensuring EPA has trained personnel sufficient to assist in
complying with FISMA and other related information security directives. 8) Ensuring that the
CIO, in coordination with AA, RAs and other key officials, reports annually the effectiveness of
the EPA information security program, including progress of remedial actions, to the EPA
Administrator, Congress, OMB, Department of Homeland Security (DHS) and other entities as
required by law and Executive Branch direction. 9) Ensuring annual Inspector General FISMA
information security audit results are reported to Congress, OMB, DHS and other entities as
required by law and Executive Branch direction. b) The Chief Information Officer (CIO) is
responsible for: 1) Ensuring the EPA information security program and protection measures are
compliant with FISMA and related information security directives. 2) Developing, documenting,
implementing, and maintaining an Agency-wide information security program as required by
EPA policy, FISMA and related information security directives to enable and ensure EPA meets
10
ACME CYBER
information security requirements. a) Developing, documenting, implementing, and maintaining
Agency-wide, welldesigned, well-managed continuous monitoring and standardized risk
assessment processes (EPA, 2005).
2.2 Planning Management
Information security incidents will be communicated in a manner allowing timely corrective
action to be taken. Formal incident reporting and escalation procedures will be established and
communicated to all users. Responsibilities and procedures will be established to handle
information security incidents once they have been reported. (State of Oregon)
2.3 Implementation Management
[OAR 125-800-0005 through 125-800-0020 requires agencies to developing an information
security plan based on the enterprise standard (as laid out in ORS 182.122, the cite OAR, and
published statewide policy. Agencies are to submit security plans to the DAS Enterprise Security
Office for certification and revise plans to meet certification requirements.]
2.4 Risk Management
SANS recommends completing a risk assessment prior to an audit to determine the types of
threats and vulnerabilities that create a risk to the organization (Page, 2003). Risk Assessments
can help the security team understand the existing system and environment, and this it helps
set a sort of baseline for the audit (Schmittling, 2010). Risk Assessments can also be used by
auditors to determine the current degree of compliance with the organization’s policies as well
as with existing governmental regulations and legislation (Schmittling, 2010).
11
ACME CYBER
2.6 Audit Criteria
To determine what elements should be included in a cyber audit, we first need to select the
audit criteria. ISACA Audit and Assurance Standard recommends selecting criteria according to
their Objectivity, Completeness, Relevance, Measurability, Understandability (ISACA, 2008). The
criteria should also be recognized, authoritative, publicly available, and available to all users
(ISACA, 2008).
2.7 Hiring Auditors
Once the audit criteria have been selected and signed-off on by the C-Suite, we will want to hire
auditors and pass the criteria off to them. In the TED Talk, “Hire the Hackers,” underworld
researcher Misha Glenny proposed the idea of hiring hackers as part of this auditing process
(Glenny, 2011). Glenny suggested that an escrow system could be used as an approach to hire
hackers and help keep them accountable. ButTouhill & Touhill, in Cybersecurity for Executives
recommends avoiding what exposing an organization to risk, and since hiring a hacker could
expose an organization to risk, it would be better to “avoid” (Touhill & Touhill, 2014). Likewise,
TechTarget recommends not being impressed by people who call themselves "ethical hackers."
Many so-called ethical hackers,” they say, “are just script-kiddies with a wardrobe upgrade”
(Fennelly, 2003).
3: Planning
12
ACME CYBER
3.1 Information Security Implementation
3.1.1 Physical security:
The objective of physical and environment security is to prevent unauthorized physical access, damage,
theft, compromise, and interference to information and facilities. Locations housing critical or sensitive
information or information assets will be secured with appropriate security barriers and entry controls.
They will be physically protected from unauthorized access, damage and interference. Secure areas will
be protected by appropriate security entry controls to ensure that only authorized personnel are allowed
access. Security will be applied to off-site equipment. All equipment containing storage media will be
checked to ensure that any sensitive data and licensed software has been removed or securely
overwritten prior to disposal in compliance with statewide policies. (State of Oregon).
3.1.2 Access control:
Access to information, information systems, information processing facilities, and business processes will
be controlled on the basis of business and security requirements. Formal procedures will be developed
and implemented to control access rights to information, information systems, and services to prevent
unauthorized access. Users will be made aware of their responsibilities for maintaining effective access
controls, particularly regarding the use of passwords. Users will be made aware of their responsibilities
to ensure unattended equipment has appropriate protection. A clear desk policy for papers and
removable storage devices and a clear screen policy will be implemented, especially in work areas
accessible by the public. Steps will be taken to restrict access to operating systems to authorized users.
Protection will be required commensurate with the risks when using mobile computing and teleworking
facilities. (State of Oregon).
13
ACME CYBER
3.1.3 Website Data Security:
Discussion: The following categories are the most common ROB. These categories are listed in NIST 800-18 as the “minimal” recommended set of ROB that an organization should have. Sample language for each category is provided below.
Sample Language:
1. Passwords1. Passwords should be a minimum of eight characters, and be a combination of letters, numbers
and special characters (such as *#$ %). Dictionary words should not be used.2. Passwords will be changed at least every 90 days and should never be repeated. Compromised
passwords will be changed immediately. 3. Passwords must be unique to each user and must never be shared by that user with other users.
For example, colleagues sharing office space must never share each other’s password to gain system access.
4. Users who require multiple passwords should never be allowed to use the same password for multiple applications.
5. Passwords must never be stored in an unsecured location. Preferably, passwords should be memorized. If this is not possible, passwords should be kept in an approved storage device, such as a Government Services Administration Security Container. If they are stored on a computer, this computer should not be connected to a network or the Internet. The file should be encrypted.
B. Encryption
1. All sensitive data, including Personally Identifiable Information (PII) must be encrypted prior to transmission.
2. The sensitivity of the information needing protection, among other considerations, determines the sophistication of the encryption technology. Sensitive PII or compartmentalized information should always be encrypted.
3. Files that contain passwords, proprietary, any Personally Identifiable Information (PII), or business information, and financial data must be encrypted before transmission, and must be encrypted while stored on the computer’s hard disk drive.
4. Sensitive information, including Personally Identifiable Information (PII), that travels over wireless networks and devices must be encrypted.
1. Internet Usage
1. Downloading files, programs, templates, images, and messages, except those explicitly authorized and approved by the system administrator, is prohibited.
2. Visiting websites including, but not limited to, those that promote, display, discuss, share, or distribute hateful, racist, pornographic, explicit, or illegal activity is strictly prohibited.
14
ACME CYBER
3. Because they pose a potential security risk, the use of Web based instant messaging or communication software or devices are prohibited.
4. Using the Internet to make non-work related purchases or acquisitions is prohibited.
5. Using the Internet to manage, run, supervise, or conduct personal business enterprises is prohibited.
D. Email
1. Except for limited personal use, non-work-related e-mail is prohibited. The dissemination of e-mail chain letters, e-mail invitations, or e-mail cards is prohibited.
2. E-mail addresses and e-mail list-serves constitute sensitive information and are never to be sold, shared, disseminated, or used in any unofficial manner.
3. Using an official e-mail address to subscribe to any non-work related electronically distributed newsletter or magazine is prohibited.
E. Working from Home/Remote Dial-up Access
1. Users may dial into the network remotely only if pre-approved by the system administrator.
2. Users must be certain to log-off and secure all connections/ports upon completion.
3. Users who work from home must ensure a safe and secure working environment free from unauthorized visitors. At no time should a “live” dial-up connection be left unattended.
4. Web browsers must be configured to limit vulnerability to an intrusion and increase security.
5. Home users connected to the Internet via a broadband connection (e.g. DSL or a cable-modem) must install a hardware or software firewall.
6. No official material may be stored on the user’s personal computer. All data must be stored on a floppy disk and then secured in a locked filing cabinet, locker, etc. PII information may never be stored on any media or device without encryption and password protection.
7. Operating system configurations should be selected to increase security.
(HUD, 2005)
3.1.4 Mobile and Cloud service:
It is critical to recognize that security is a cross-cutting aspect of the architecture that spans across
all layers of the reference model, ranging from physical security to application security. Therefore,
security in cloud computing architecture concerns is not solely under the purview of the Cloud
Providers, but also NIST SP 500-292 NIST Cloud Computing Reference Architecture 16 Cloud
15
ACME CYBER
Consumers and other relevant actors. Cloud-based systems still need to address security
requirements such as authentication, authorization, availability, confidentiality, identity
management, integrity, audit, security monitoring, incident response, and security policy
management. While these security requirements are not new, we discuss cloud specific perspectives
to help discuss, analyze and implement security in a cloud system. (Liu & al., 2011)
3.1.5 Timely Integration of Information:
3.1.6 Reliable Communication:
16
ACME CYBER
3.1.7 System Development and Maintenance:
3.2 Contingency Planning
Introduction
Cybersecurity professionals are responsible for ensuring network availability in order to meet
business objectives and avoid business losses while at the same time protecting against possible
loss of data via man-made disasters or natural disasters. Many professionals find that there is
an inherent conflict, or a negative correlation, between these two objectives. In my opinion,
finding a balance between these competing objectives should be the ultimate goal.
Network Availability vs. System Protection
Network Availability is part of the CIA triad of Confidentiality, Integrity, and Availability. A
corporate network must remain available both so that employees can do their work, and
because if a system goes down the business stands to lose revenue. The longer a system is
down, the more revenue will be lost. Some experts have commented that Availability gets
singled out as the all-important objective “because the other two [Integrity and Availability] are
difficult to quantify from the perspective of measuring the impact of controls you put in place
to preserve them” (King, 2008). But the simplicity of a metric (i.e., available/not available)
should not determine its importance. ISSP’s are complicated and must take into account
17
ACME CYBER
prevention, mitigation, and contingencies and they should not be overwhelmingly concerned
with availability (Lee, 2001).
Contingency Plans and Securing a System
When a cybersecurity team begins to develop an Information System Security Policy (ISSP), the
they will first conduct a risk assessment based on FIPS 199 impact analysis (Swanson, Hash, &
Bowen, 2006). The results of this analysis can help the team make informed decisions regarding
what needs to be protected and how, as well as how to respond in the case the security
implementations fail. A Contingency Plan is a preparation for possible losses of data in order to
“mitigate the risk of system and service unavailability by providing effective and efficient
solutions to enhance system availability” (Swanson, Bowen, Phillips, Gallup, & Lynes, 2010). So,
we see that a contingency plan can help return availability by minimizing downtime and
reducing losses.
Possible solutions: Resilience and Education
“Rather than just working to identify and mitigate threats, vulnerabilities, and risks,
organizations can work toward building a resilient infrastructure” (Swanson, Bowen, Phillips,
Gallup, & Lynes, 2010). Resilience is essentially the ability to quickly adapt and recover from an
incident, and effective contingency planning includes incorporating security controls early in the
development of an information system and maintaining these controls on an ongoing basis”
(Swanson, Bowen, Phillips, Gallup, & Lynes, 2010). In addition to resilience, cybersecurity teams
should educate employees to help them fully understand the need for security decisions so that
18
ACME CYBER
in the case of a temporary loss of availability they can be a part of the recovery plan and thus
increase the organization’s resilience (Shugg, 2016).
4: Implementation Management
4.1 Proposed Timeline/Execution
Implementation of this ISSP should take place over the next 3 months and should not exceed six
months.
(Government of Hong Kong, 2018)
4.2 Budget
19
ACME CYBER
The budget for this ISSP, including system upgrades, risk assessment and penetration tests,
training, and other related upgrades should not exceed the program budget. All additional
expenses should first be procured according to company budgeting policies.
5: Risk Management
5.1 Risk Identification
Identify assets: What data, systems, or other assets would be considered your
organization’s “crown jewels”? For example, which assets would have the most
significant impact on your organization if their confidentiality, integrity or availability
were compromised? It’s not hard to see why the confidentiality of data like social
security numbers and intellectual property is important. But what about integrity? For
example, if a business falls under Sarbanes-Oxley (SOX) regulatory requirements, a
minor integrity problem in financial reporting data could result in an enormous cost.
Or, if an organization is an online music streaming service and the availability of music
files is compromised, then they could lose subscribers.
Identify vulnerabilities: What system-level or software vulnerabilities are putting the
confidentiality, integrity, and availability of the assets at risk? What weaknesses or
deficiencies in organizational processes could result in information being
compromised?
Identify threats: What are some of the potential causes of assets or information
becoming compromised? For example, is your organization’s data center located in a
20
ACME CYBER
region where environmental threats, like tornadoes and floods, are more prevalent?
Are industry peers being actively targeted and hacked by a known crime syndicate,
hacktivist group, or government-sponsored entity? Threat modeling is an important
activity that helps add context by tying risks to known threats and the different ways
those threats can cause risks to become realized via exploiting vulnerabilities.
Identify controls: What do you already have in place to protect identified assets? A
control directly addresses an identified vulnerability or threat by either completely
fixing it (remediation) or lessening the likelihood and/or impact of a risk being realized
(mitigation). For example, if you’ve identified a risk of terminated users continuing to
have access to a specific application, then a control could be a process that
automatically removes users from that application upon their termination. A
compensating control is a “safety net” control that indirectly addresses a risk.
Continuing with the same example above, a compensating control may be a quarterly
access review process. During this review, the application user list is cross-referenced
with the company’s user directory and termination lists to find users with
unwarranted access and then reactively remove that unauthorized access when it’s
found (Rapid 7, 2018).
5.2 Risk Assessment
ROI for Security Investment (ROISI) models are critical for convincing management to fund
cybersecurity initiatives and thus protect the company from losses due to cyber-attacks. But the
21
ACME CYBER
traditional ROI formula was not developed for security investments, as security investments are
not traditional expenses that provide a direct return. As Bruce Schneier writes, “Security is not
an investment that provides a return, like a new factory or a financial instrument. It's an
expense that, hopefully, pays for itself in cost savings” (Schneier, 2008). Getting at what these
“cost savings” might be is tricky, and can involve a lot of guesswork. ROI calculators attempt to
break down potential expenses/investments and their associated cost savings in a way that can
take some of the guesswork out of the equation. With the support of current cybersecurity
research on the average cost of different types of attacks, as well as organizational risk
assessments and contingency reports, we can generate credible inputs to an ROISI and
therefore a more credible prediction of cost savings based on cybersecurity investments. The
intent is that this detail financial report will be one that the management will be more likely to
support. As one cybersecurity writer put it, “If you prepare a well-explained justification for
your cybersecurity budget using terminology and language understandable by management,
your chances of getting the budget approved without modifications will at minimum double”
(Kolochenko, 2015).
This is the process of combining the information you’ve gathered about assets, vulnerabilities,
and controls to define a risk. There are many frameworks and approaches for this, but you’ll
probably use some variation of this equation:
Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security
controls (Rapid 7, 2018).
22
ACME CYBER
Analysis
The Initiative ROI model itemizes the expenses and cost savings of IT initiatives. The FSSCC
model, on the other hand, simulates inherent risks and an organization’s security maturity level.
As the FSSCC model documentation says, “In general, as inherent risk rises, an institution’s
maturity levels should increase” (FFIEC, 2015). It is difficult to compare these tools, because
they have different intents. The FSSCC calculator is composed of mostly Yes/No questions. One
of its most useful fields, and one that I would consider a must in ROISI calculators, is the
number of attempted cyber-attacks in the past year. The ROI Initiative calculator does not ask
for the number of attempted cyber-attacks, but it does have any “Initiative Type box” that
seems to simulate some of the costs of attempted attacks. Because of the large difference
between these tools, this is the closest I can get to a field-to-field comparison.
Neither of these two models, nor any other model on the market, for that matter, is perfect,
especially when it comes to monetizing the innumerable intangible benefits of security. The
best thing to do with these models is to use them, but not take them as the last word on how to
improve your security. As Bruce Schneier says, “when you get an ROI model from your vendor,
take its framework and plug in your own numbers…and use those results as a general guide,
along with risk management and compliance analyses, when you're deciding what security
products and services to buy” (Schneier, 2008). The problem with these models/calculators is
that, “not all benefits can credibly be translated into financial benefit terms. These are
23
ACME CYBER
sometimes referred to as intangible benefits” (Hall Consulting & Research LLC, n.d.). The
workbook provides a structure to estimate how the initiative may impact non-financial KPIs”
(Hall Consulting & Research LLC, n.d.).
ROI Features
As mentioned above, among the factors that I would consider “must have’s” in an ROI are
“Attempted Cyber Attacks” and the related question, “How many hours to resolve each attack.”
Also important are an accounting of false positive/negative alerts and number of hours dealing
with those false alerts, as the Ponemon Institute reported that “45 percent of respondents say
it was the high number of false positives and IT security alerts they had to respond to”
(Ponemon Institute, 2017). The FSSCC ACAT model does a good job addressing the number of
attacks as well as false alerts, as do several online ROI security calculators, including
Outgrow.com, Cygilant.com, FireEye.com, and Vigilant.com, among others. Among the “nice-to-
24
ACME CYBER
have” features, I would include questions about how many people and how many total hours it
takes to respond to various types of incidents, as included in the online ROI calculators I
reviewed.
FIGURE 1: (CYGILANT, 2018) (THIS FIGURE SHOWS COMMON QUESTIONS IN ONLINE ROI CALCULATORS).
The Initiative ROI model does not ask about the number of attacks per year or the number of
alerts, which I find potentially problematic but, as mentioned, it seems that some of the costs
have been simulated based on Initiative Type. It also seems that Hall Consulting & Research LLC
had a somewhat different intent when they developed the Initiative ROI. The tool seems to be
more of a budgeting tool rather than a cost savings tool.
So whereas the FSSCC tool seems more predictive and provides a generalized picture of a
network’s maturity, the ROI Intiative tool seeks to provide a more precise picture of the security
budget.
Conclusions and Recommendations
A financial officer of a company could be convinced to spend dollars on something that you
"believe/might" happen if you speak with them about the potential costs to the organization if
you are not protected. “If you speak with management about money – speak their language
and you will definitely get what you need” (Kolochenko, 2015). If you make it clear how much
an attack might cost them, and spell out the potential costs clearly, they will be more willing to
allocate funds to purchase new hardware or software. This will answer their “so what?”
questions in ways that they can understand.
25
ACME CYBER
5.3 Analysis & Prioritization
Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.
Example: You have identified a vulnerability on a server where critical assets are
stored, and you apply a patch for that vulnerability.
Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.
Example: You have identified a vulnerability on a server where critical assets are
stored, but instead of patching the vulnerability, you implement a firewall rule that
only allows specific systems to communicate with the vulnerable service on the
server.
Transference: Transferring the risk to another entity so your organization can recover
from incurred costs of the risk being realized.
Example: You purchase insurance that will cover any losses that would be incurred if
vulnerable systems are exploited. (Note: this should be used to supplement risk
remediation and mitigation but not replace them altogether.)
Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is
clearly low and the time and effort it takes to fix the risk costs more than the costs
that would be incurred if the risk were to be realized.
Example: You have identified a vulnerability on a server but concluded that there is
nothing sensitive on that server; it cannot be used as an entry point to access other
26
ACME CYBER
critical assets, and a successful exploit of the vulnerability is very complex. As a result,
you decide you do not need to spend time and resources to fix the vulnerability.
Risk avoidance: Removing all exposure to an identified risk
Example: You have identified servers with operating systems (OS) that are about to
reach end-of-life and will no longer receive security patches from the OS creator.
These servers process and store both sensitive and non-sensitive data. To avoid the
risk of sensitive data being compromised, you quickly migrate that sensitive data to
newer, patchable servers. The servers continue to run and process non-sensitive data
while a plan is developed to decommission them and migrate non-sensitive data to
other servers. (Rapid 7, 2018).
5.4 Mitigation Planning, Implementation & Monitoring
5.5 Risk Tracking
5.6 Classification of Risk
5.7 Data Driven Risk
5.8 Business Driven Risk
27
ACME CYBER
5.9 Even Driven Risk
6: Cost Management
6.1 Provide security infrastructure that reduces development costs
6.2 Reduce operational costs
6.3 Reducing development costs
6.4 Cost of Security
Cost of security should be compared to the potential loss. For this reason cyber security
budgeting differs from traditional ROI budgeting.
6.5 Planned costs
Managers should not view the security budget as principally being about tools; people and
talent play a big role in an effective security program, says Boison. Many CISOs focus on the
latest tools and wind up bringing in another blinking box, he says. “More mature organizations
are focused on leveraging and utilizing what they have.” Managers here push systems and
tools to their total functionality and only then add another tool. Tools bring complexity, which
can lead to inefficiency in how the tool is implemented and run. (Yasin, 2016)
6.6 Potential costs
28
ACME CYBER
6.7 Comparative costs with industry
7: Analysis & Recommendation Management
7.1 Key Elements
7.2 Conclusion and Future Work
8: Student Assessment of ISSP to Cyber Management
Approval
29
ACME CYBER
By: __________________________________________________ Date: __________________
By: __________________________________________________ Date: __________________
By: __________________________________________________ Date: __________________
Works CitedCygilant. (2018). Cygilant ROI. Retrieved from Cygilant.com: https://www.cygilant.com/roi/
Eguren, L. E. (2000, Julu). BEYOND SECURITY PLANNING: TOWARDS A MODEL OF SECURITY MANAGEMENT. Retrieved from JHA: www.jha.ac/articles/a060.pdf
EPA. (2005, July 7). INFORMATION SECURITY – ROLE AND RESPONSIBILITIES. Retrieved from EPA: https://www.epa.gov/sites/production/files/2013-11/documents/cio-2150-3-p-19-1.pdf
FDIC. (2017). FDIC System Security Plan Template. Retrieved from FDIC: https://www.fdic.gov/buying/goods/acquisition/itsecurityplantemplate.doc
Fennelly, C. (2003, March). IT security auditing: Best practices for conducting audits. Retrieved from TechTarget: https://searchsecurity.techtarget.com/IT-security-auditing-Best-practices-for-conducting-audits?src=itke+disc
FFIEC. (2015, June). FFIEC Cybersecurity Assessment Tool . Retrieved from FFIEC: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_User_Guide_June_2015_PDF2_a.pdf
Glenny, M. (2011). Hire the Hackers! TEDGlobal2011. Retrieved from https://www.ted.com/talks/misha_glenny_hire_the_hackers
Government of Hong Kong. (2018, July). Security Management. Retrieved from INFOSEC Hong Kong: https://www.infosec.gov.hk/english/business/security_smc.html
Hall Consulting & Research LLC. (n.d.). Business Value ROI Workbook for IT Initiatives. Retrieved from Hall Consulting & Research LLC: http://hallcr.com/InitiativeROITool.aspx
HUD. (2005, April). SYSTEM SECURITY PLAN (SSP) TEMPLATE . Retrieved from DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT: https://www.hud.gov/sites/documents/240025G3SSPLANGUID.PDF
ISACA. (2008). IS Audit and Assurance Standard 1008 Criteria. Retrieved from ISACA: http://www.isaca.org/Knowledge-Center/Standards/Documents/1008-Criteria.pdf
King, S. (2008, February 5). Availability and Security. Retrieved from Computer Weekly: https://www.computerweekly.com/blog/Risk-Management-with-Stuart-King-and-Duncan-Hart/Availability-and-Security
30
ACME CYBER
Kolochenko, I. (2015, December 1). How to calculate ROI and justify your cybersecurity budget. Retrieved from CSO: https://www.csoonline.com/article/3010007/advanced-persistent-threats/how-to-calculate-roi-and-justify-your-cybersecurity-budget.html
Lee, D. (2001). Developing Effective Information Systems Security Policies. Retrieved from SANS: https://www.sans.org/reading-room/whitepapers/policyissues/developing-effective-information-systems-security-policies-491
Liu, F., & al., e. (2011, September). NIST Special Publication 500-292: Cloud Computing. Retrieved from NIST: https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505
Ponemon Institute. (2017, November). The 2017 State of Endpoint Security Risk . Retrieved from Barkly: https://cdn2.hubspot.net/hubfs/468115/Campaigns/2017-Ponemon-Report/barkly-2017-state-of-endpoint-security-risk-ponemon-institute-final.pdf?t=1529356255819
Rapid 7. (2018). Information Security Risk Management. Retrieved from Rapid 7: https://www.rapid7.com/fundamentals/information-security-risk-management/
Schmittling, R. (2010). Performing a Security Risk Assessment. Retrieved from ISACA: https://www.isaca.org/Journal/archives/2010/Volume-1/Pages/Performing-a-Security-Risk-Assessment1.aspx
Schneier, B. (2008, September 2). Security ROI: Fact or Fiction? Retrieved from CSO: https://www.csoonline.com/article/2123096/metrics-budgets/security-roi--fact-or-fiction-.html
Shugg, C. (2016, July 19). Conflict Within: Business Operations versus Cyber Security. Retrieved from LinkedIn: https://www.linkedin.com/pulse/conflict-within-business-operations-versus-cyber-security-shugg/
State of Michigan. (2017). Appendix H: Enterprise Architecture. Retrieved from Michigan.gov: https://www.michigan.gov/documents/itstrategicplan/H_EnterpriseArchitecture_Web_234558_7.pdf
State of Oregon. (n.d.). Information Security Plan. Retrieved from State of Oregon: https://www.oregon.gov/das/OSCIO/Documents/plan.pdf
Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., & Gulick, J. (2008, August). Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories. Retrieved from NIST: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). Contingency Planning Guide for Federal Information Systems. Retrieved from NIST: https://ole.sandiego.edu/bbcswebdav/pid-1198327-dt-content-rid-3328090_1/courses/CSOL-550-MASTER/NISTPUB.pdf
Swanson, M., Hash, J., & Bowen, P. (2006, February). Guide for Developing Security Plans for Federal Information Systems. Retrieved from NIST: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
31
ACME CYBER
Swanson, M., Hash, J., & Bowen, P. (2006, February). Guide for Developing Security Plans for Federal Information Systems. Retrieved from NIST: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for executives : a practical guide. Hoboken, New Jersey: John Wiley & Sons, Inc.
Yasin, R. (2016, April 27). 4 Tips For Planning An Effective Security Budget. Retrieved from Dark Reading: https://www.darkreading.com/careers-and-people/4-tips-for-planning-an-effective-security-budget/d/d-id/1325290
32