Beruflich Dokumente
Kultur Dokumente
Ace Consulting
Dan Bedell
Cyber Management
CSOL 550
12/09/2019
Prof. Moore
Ace Consulting
Abstract
According to the text, Cybersecurity for Executives: A Practical Guide, “cybersecurity is about
risk management. It is about protecting your business, your shareholders’ investments, and
yourself while maintaining competitive advantage and protecting assets.” (Touhill, 2014) Senior
leadership doesn’t have the liberty and freedom to dive deep into the technical aspects of
cybersecurity. It’s their responsibility to manage the everyday workings of the company and no
be tech savvy to have knowledge of key principles is great but not needed. If executives or
leadership has a hands-off approach to cybersecurity and leaves it up to the professionals or the
organization.
there are factors that must be taken into consideration. One of the main factors is the
undesired event for an organization and having a well thought out incident response program
provides a layer of protection for an organization providing logical steps to keep the event from
escalating out of control.” (Behm, 2003) SANS lays out the incident response plan into six
2003) The incident response plan with its six phases shall be executed by a team of people who
have the training, talent, and equipment to respond to incidents in a timely and effective manner.
an organizations critical, financial, and reputation. Initial costs of implementation may be high
Ace Consulting
for the organizations inventory of PCs but, in comparison to a cyber-attack the cost of prevention
outweighs the potential risk with compromises the hardware, software, and steals PII and PHI of
1: Company Summary
Ace Consulting is currently developed, design, launch, and maintain a cyber monitoring
service and to identify likely types of hardware/software needed. The existing Ace Consulting
cyber security program was developed and launched in 2001. Ace Consulting is determined that
the information systems need to be more secure, and better protect sensitive information
belonging to Ace Consulting, its customers, and employees for improved information security to
Ace Consulting is a small business that was founded in 1974 and is focused on project
management consulting and the implementation of best practice processes and solutions. Our
client base consists of other small and medium-sized businesses as well as local, state, and
federal government organizations which lack project management experience and expertise.
Ace Consulting is consolidated in its headquarters in Portland, Oregon with some workers offsite
Project Management
Process Improvement
2: Management
group toward the achievement of goals.” (McCready, 2016) Although this definition of a leader
plays a part in management, it does not encapsulate the term management. McCready defines
management as “the use of authority inherent in designated formal rank to obtain compliance
Perhaps a better way to describe management is by describing the basic operations in the
work of the manager. “First, a manager sets objectives. Second, a manager organizes. They
analyze the activities, decisions, and relations needed. They classify the work. Divide it into
manageable jobs. Third, a manager motivates and communicates. Fourth, a manager creates
way to measure progress. The manager creates targets and yardsticks. Finally, a manager
develops people, including themselves.” (Drucker, 2011) These five basic operations of a
A manager has the integrity to take extreme ownership. “Managers take responsibility for
contribution. And integrity rather than genius is the basic requirement for managers.” (Drucker,
2011) Integrity is a basic requirement for management because managers must take ownership of
the good as well as the bad. This is extreme ownership; it is having the integrity to own the
The CIO is the approval authority for the Information Systems Security Plan.
Ace Consulting
The CISO is responsible for the development, implementation, and maintenance of the
Information Systems Security Plan and associated standards and guidelines. (Palmer, 2000)
The Compliance Officer shall be responsible for ensuring Ace Consulting Consulting’s
monitoring adheres to applicable laws and regulations. (Johnson, 2015) The position of
Compliance Officer within Ace Consulting shall be held by the Senior IT manager, and must be
The Administrators and Managers are responsible for creating procedures that ensure
information at rest and in transit adhere to the Information Systems Security Plan. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for
the intended purposes, and for maintaining the confidentiality, integrity, and availability of the
Cyber security, according to Touhill, “is a holistic set of activities that are focused on
protect information. Effective cyber security preserves the confidentiality, integrity, and
availability of information, protecting it from attack by bad actors, damage of any kind, and
unauthorized access by those who do not have a “need to know.”” (Touhill, 2014) The bad actors
include, but are not limited to nation-states, organized crime, hackers, hacktivists, insider threats,
and substandard products and services. (Touhill, 2014) Cyber security managers must be ready to
Ace Consulting
protect against all possible threats. They must be constantly learning about new technologies,
new threats, and at times, be creative in mitigating those threats. All this must be done in the
Ace Consulting shall keep a hybrid model for their cyber security operations. An
organization that adopts a hybrid model for cyber security operations will have a small in-house
staff that contributes to cyber security operations as well as a robust managing staff to oversee
the operations of not only the in-house staff but also the contractors. Using the hybrid model the
organization will be able to save money on payroll by outsourcing the bulk of the cyber security
operations to contractors. The hybrid model will also cut the cost of annual training and
maintaining a professional IT staff. The Implementation Management POC shall be the CISO.
To executives, the cyber security managers may seem to spend large amounts of funds
while producing no products. The cyber security manager must seek to limit costs while also
keeping the risks to the enterprise system low. When justifying costs to executives, the cyber
security manager may define cyber security according to Touhill, “Cyber security is about risk
management. It is about protecting your business, your shareholders’ investments, and yourself
Making cyber security about risk management helps nontechnical managers better
understand the monetary investment into cyber security. Cyber security does not produce a
product to sell to customers; rather it protects the organizations current investments. Those
investments may include employee and customer health information, banking information, or
The Human Resources Management shall be responsible for creating and enforcing the
rules of behavior. The rules of behavior are an official document which all persons with access
to the system must read and sign that they understand the expectations and responsibilities of
their behavior on the organizations systems. (Swanson, 2006) Once they sign, they have
acknowledged that they have read and agreed to follow the rules of behavior. By signing they
also recognize that they will be held accountable for any abuses or negligence in not following
the rules of behavior. The POC for the Human Resources Management shall be the President of
The manager’s greatest concern has always been and shall always be the organizations
economic budget. Cyber security does not produce a product that makes money. Cyber security
spends money to protect the organization from bad actors. Cyber security managers must
objectively show how their contributions save the organization money in both the short and long
about protecting the information that allows the business managers to make those profits.
Although it appears at first look that business management and cyber security management are at
odds with each other over making money and spending money, the reality is that they must work
in concert with each other for the organization to reach its full monetary potential.
3: Planning
An organization needs each employee to have the necessary access to the network in
order to complete production. This access must be balanced with the necessity to protect
data loss from multiple threats. To accomplish this task the organization will require an
information security plan and have that plan properly governed. Information governance is
about balancing the business objectives with the information security requirements of the
organization.
Physical security shall include Closed Captioned Television (CCTV), dead bolt locks on
doors, a security alarm system for the building, and a security patrol officer for the building and
parking structure. The POC for physical security policy shall be the CISO.
3.1.2 Access control: Access control to the building and department sections shall be
determined by access badges that must always be worn. The access badges will be coded to a
scramble keypad that must be scanned and have the proper access code entered. To access user
stations a Common Access Card (CAC) must be entered into a card reader and have the unique
access code entered. The POC for access control policies shall be the CISO.
3.1.3 Website Data Security: Website Data Security shall be the responsibility of the
CISO. The CISO shall be the POC for the Website Data Security policy.
3.1.4 Mobile and Cloud service: Mobile devices that are not provided by Ace
Consulting shall not be permitted to connect to the information system. Ace Consulting shall
Ace Consulting
back-up all data to an off-site Cloud service. The POC for the Mobile and Cloud service shall be
the CISO.
other entities, the following authorization for the connection to other systems or the sharing of
Name of system
Organization
Type of connection
Date of agreement
3.1.7 System Development and Maintenance: The deadline for completion of all system
security plans shall be December 31, 2019. This date shall be updated when the plan is annually
reviewed and updated. When updated, the version shall be added. Each review shall contain the
date the authorizing official (CIO), or the designated approving authority (CISO) approved the
System security plans will be reviewed on an annually basis for any changes, in status,
Ace Consulting
functionality, design, etc. This document is critical for system certification activity. Some
information that will be included in the review are; Change in information system owner
3.2 Contingency Planning: A successful contingency program will have a well laid out
contingency plan. Using steps in a training program that requires planned testing and planned
exercises followed by review and an update plan will prepare the organization in the event of a
disastrous loss of data and/or capabilities. “The best risk management programs have well-
defined processes, well-trained and motivated employees who understand and implement the
program, and active leadership who maintains ownership over the risk management program.”
(Touhill, 2014)
3.2.1 Natural Calamities: In the event of natural calamities that cause major
shall turn on within five seconds. These generators shall be tested monthly in order to prevent
the diesel fuel from becoming unusable. The POC for the diesel-powered generators for back-up
3.3 Business Continuity Plan: Design, development, licensing, and hosting of Ace
Consulting’s new services and information systems hardware/software needed. The portfolio
will analyze all current contacts and determine target demographics for future and potential
clients.
Monitoring services
Information system should be compatible with all current technologies and easily
upgradeable
4: Implementation Management
Project planning phase must be completed by May 15, 2020. Project planning phase will
4.2 Budget: All proposals must include proposed costs to complete the tasks described in
the project scope. Costs should be stated as one-time or non-recurring costs (NRC) or
monthly recurring costs (MRC). Pricing should be listed for each of the following items
5: Risk Management
mission, functions, image, or reputation), agency assets, or individuals resulting from the
selection, implementation, and assessment of security controls, and the formal authorization to
operate the system. The process considers effectiveness, efficiency, and constraints due to laws,
directives, policies, or regulations. (Swanson, 2014) The POC for risk management shall be the
CISO.
5.1 Risk Identification: To determine the inherent risk to the organization five categories
5.2 Risk Assessment: The risk level has been determined to be moderate for technologies
and connection types, significant for delivery channels, minimal for online/mobile products and
technology services, minimal for organizational characteristics, and significant for external
Ace Consulting
5.3 Analysis & Prioritization: The “normal” cyber security approaches to identify and
assess vulnerabilities within the cyber infrastructure often are conducted in the form of best
practices. These best practices are often developed through trial and error in mitigating
scientific method approach and taking less of an artistic approach. The “normal” approach is
often conducted with the intent of focusing efforts to testing known security controls, and then
The “hacker” cyber security approaches may often be similar in appearance, but differ in
that hackers tend to take more of a creative approach to testing cyber infrastructure. This
creativity is needed in order for black hat hackers to penetrate into a denied system to exploit the
system. Additionally, hackers often look for the path of least resistance into a system. They will
often choose to find alternative non-conventional approaches to solving problems, because of the
necessity of having to avoid the “textbook” approaches taken by “normal” cyber security
technicians.
risk to the system. Security controls shall be implemented as required to mitigate future
vulnerabilities. The CISO shall have approval authority for implementing security
5.5 Risk Tracking: The auditors must always look at what controls are in place to
mitigate risks and evaluate the efficiency of those controls. (USD, 2016) This is what auditing
the system is all about, recognizing the controls that have been in placed to mitigate specific
risks and testing if they are in fact protecting the system from those risks. Once the auditors
have verified the controls that are in place are doing what they are supposed to be doing an
auditor is then going to test the system for other known vulnerabilities that are new or may have
been overlooked in the past. Once they have their results the auditors will be required to
determine whether or not the company wants to pay to update current controls, add new controls,
or accepting the risk to the system by not emplacing any controls. What controls to focus on will
be determined early on in the process and will be defined in the audit focus. Since the auditors
have finite resources, they will not be able to audit everything, rather they will focus the audit on
5.6 Classification of Risk: The system shall have impact level of low, moderate, or high
in the security categorization depending on the criticality or sensitivity of the system and any
5.8 Business Driven Risk: Business management is always about financial profits.
Cyber security management is about protecting the information that allows the business
managers to make those profits. Although it appears at first look that business management and
cyber security management are at odds with each other over making money and spending money,
the reality is that they must work in concert with each other for the organization to reach its full
monetary potential. The CIO shall be the approval authority for business-driven risk.
Ace Consulting
6: Cost Management
The cost per Personal Computer (PC) over a three-year period totals $1,535. The benefits
per PC over the same three-year period totals $5,113. This gives the organization a net benefit of
$3,377 per PC over a three-year period. This gives the organization a Return on Investment
(ROI) of 137%. The total period that it will take for the organization to recoup the expenses of
6.1 Provide security infrastructure that reduces development costs: When factoring
the initial costs of implementation four categories were considered: hardware, software, IT labor,
services, & training, and end-user labor & training. For each of the four categories a one-time
initial cost is assessed along with an annual on-going cost to maintain each category. The total
one-time initial cost for all categories has been determined to be $1,345. The annual on-going
cost for all four categories is $164. Over a three-year period, this adds up to the $1,736 cost per
PC.
6.2 Reduce operational costs: The IT labor/services TCO savings is determined using
five categories: PC management services, help desk (tech support), server & network
management services, application development, and administrative & other. Each of these five
categories show an annual on-going benefit per PC. The total monetary benefit for a one-year
6.3 Reducing development costs: There are other direct cost savings according to the
ROI: IT savings and business savings. The IT savings categories include software- clients,
software- servers, hardware, IT services, power/electricity usage, and other IT costs. These
benefits have a small one-time cost savings of $75 per PC with a $94 annual on-going cost
Ace Consulting
savings per PC. The business savings has three separate categories to include: travel expenses,
business services, and other business expenses. The business savings comes to a total of $50
over a three-year period per PC. The total cost savings over a three-year period is $406 per PC.
6.4 Cost of Security: The cost per Personal Computer (PC) over a three-year period
totals $1,736.
6.5 Planned costs: The benefits per PC over the same three-year period totals $4,113.
This gives the organization a net benefit of $2,377 per PC over a three-year period. This gives
the organization a Return on Investment (ROI) of 137%. The total period of time that it will take
for the organization to recoup the expenses of the three years of its investment in cyber security
is 12 months.
When factoring the initial costs of implementation four categories were considered:
hardware, software, IT labor, services, & training, and end-user labor & training. For each of the
four categories a one-time initial cost is assessed along with an annual on-going cost to maintain
each category. The total one-time initial cost for all categories has been determined to be
$1,245. The annual on-going cost for all four categories is $164. Over a three-year period this
6.6 Potential costs: The Key Performance Indicator (KPI) is assessed using four
performance, and technology effectiveness. With the implementation of the cyber security
program the first three categories will remain the same. However, the technology effectiveness
category will see an increase of 27.1% over a three-year period. This will result in an overall
6.7 Comparative costs with industry: It is assessed that the initial investment will cost
slightly less than the net benefits of the first year. Each subsequent year the net benefits will out
weight the costs of maintaining the cyber program. The costs and benefits are only projected out
to three years because of the speed at which technology advances. Every three years the cyber
security programs technology will need to be reassessed to determine if another large initial
7.1 Key Elements: Finding the most well-rounded cyber security staff for the
organization must be done in a holistic manner. The employer must consider a potential
employees educational background, work experience, special skills, and certifications. Rarely
does an employee meet all of the requirements that an employer is looking for. Therefore, the
employer must consider how well this person will fit into the organizations culture, and how well
they are able to learn new technologies and techniques. If the person has the correct attitude of,
“I will work hard and learn anything that I don’t know,” then they are starting off on the right
foot. There will always be a certain amount of intelligence that is required to do cyber security;
however a hard worker will always outperform someone that is knowledgeable and lazy.
Organizations should keep a hybrid model for their cyber security operations. An
organization that adopts a hybrid model for cyber security operations will have a small in-house
staff that contributes to cyber security operations as well as a robust managing staff to oversee
the operations of not only the in-house staff but also the contractors. Using the hybrid model the
organization will be able to save money on payroll by outsourcing the bulk of the cyber security
Ace Consulting
operations to contractors. The hybrid model will also cut the cost of annual training and
7.2 Conclusion and Future Work: There are a few practical and obvious ways to
ensure that personnel are following the “Spirit” of the NIST SP 800-18. First, require all
personnel to read and sign the rules of behavior before they are allowed access to the
organizations systems. This will ensure that personnel know and understand what behaviors are
acceptable and which are not. Second, ensure that personnel receive training what safe
computing in an office environment as well as at home. This training will further reinforce the
information systems and what behaviors are deemed unacceptable. Last, I think that blocking
access to non-essential content is a good step in the right direction to keep personnel from being
tempted from abusing the organizations information systems. Examples of content that would be
blocked include pornography, social media accounts, gaming sites, and video streaming sites.
By blocking such sites from being accessed in the first place it will prevent personnel from
The ISSP will require more than just an incident response plan. Some of these plans
include a Disaster Recovery Plan (DRP), Information System Contingency Plan (ISCP), and a
Continuity of Operations Plan (COOP). (Swanson, 2010) The DRP applies to major, usually
physical, disasters. Examples include earthquakes, firestorms, floods, and hurricanes. The ISCP
provides procedures for the assessment and recovery of a system following a system disruption.
The COOP focusses its efforts to restoring mission essential functions at an alternate site and
Having policies and plans in place will allow the organization to react in a timely and
Ace Consulting
effective manner. The organization will have a greater ability to ensure the confidentiality,
information. Having these plans in place is also significant, because in the event that an incident
occurs, the organizations employees will have a greater understanding of their expectations.
People will be less likely to be running around like a chicken with their heads cut off.
As a leader of a cybersecurity team in the event of any type of attack, training and
preparation and protection that have been set up using policy and standards shall mitigate any
potential threats. But, in the event of a successful attack leadership shall take the appropriate
steps to stop the spread of damage to one’s organization. If an attack is successful the potential
for damage is great, the need for leadership to communicate the findings, cause, loss and remedy
to an attack to executives is key. A proper report generated can help spread the correct
information to executives and stakeholders to prevent unwanted losses in revenue. ISSP can
provide the goals companywide and how an organization will achieve goals. ISSP help all
employees from executives to new hires understand their responsibilities when dealing with
security. These plans can help the company grow in the future and the ability handle any
References:
Ace Consulting
Behm, Robert L. (2003). The Many Facets of an Information Security Program. SANS Institute
room/whitepapers/awareness/facets-information-security-program-1343.
Touhill, Gregory J., and C. Joseph Touhill. (2014). Cybersecurity For Executives: A Practical
Swanson, Marianne, Joan Hash, and Pauline Bowen. (2006). Guide for Developing Security
Plans for Federal Information Systems. NIST Special Publication 800-18 Revision 1.
Gaithersburg, MD.
Swanson, Mariannne, Pauline Bowen, Amy Wohl Phillips, Dean Gallup, and David Lynes.
(2010). Contingency Planning Guide for Federal Information Systems. NIST Special Publication
3328090_1/courses/CSOL-550-MASTER/NISTPUB.pdf.
Drucker, Peter F. (2011). Management Tasks, Responsibilities, Practices. Routledge Taylor &