Cool Caps, LTD - JEFF GORDY



Everything AI

Jeff Gordy

Cyber Management

CSOL 550

December 16, 2019

Professor Brian Russell

Table of Contents

Abstract………………………………………………………………………………pg 3

1: Company Summary………………………………………………….……………pg 4

2: Management………………………………………………………….……………pg 5

3: Planning Management……………………………………………….………….…pg 6

4: Implementation Management…………………………………………………...…pg 8

5: Risk Management……………………………………………………………….…pg 8

6: Cost Management………………………………………………………………….pg 12

7: Recommendation…………………………….…………………………………….pg 14

8: Student Assessment of ISSP alignment to Cyber Management ….………………pg 15

References:…………………………………………………………………………....pg 16

Abstract

The purpose of the Information Systems Security Plan (ISSP) is to provide an overview of the security requirements of a system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system (SANS, n.d.). In this ISSP we at Everything AI (EAI) have outlined a summary of our company, the specific management roles related to this document, our strategy for security planning, implementation, risk and cost management. Our ISSP concludes with an analysis and recommendation section including an assessment of the ISSP for non-cyber management personnel. EAI fully complies with all federal and state laws and regulations related to sensitive information handling. EAI uses the NIST Risk Management Framework to identify information assets, evaluate our environment for risk, and mitigate the risk using appropriate controls. EAI reduces costs by keeping low-security workloads in-house and outsourcing confidential sensitive workloads to Amazon’s GovCloud.

1: Company Summary

Everything AI (EAI) is engaged in the business of providing artificial intelligence solutions to the US Federal Government supporting national defense solutions. Founded in 2014, EAI currently has over 1000 employees headquartered in Fredericksburg MD. The US federal government is investing heavily in artificial intelligence (AI) and Everything AI is well positioned to capture much of that funding due to our laser focus on ensuring all of our products and solutions prominently display the phrase “artificial intelligence” (Cornillie, 2019).

1. Enterprise Architecture

EAI uses a hub and spoke model for feeding data back from our customers into our Reporting and Alerts engine built by the infamous MD5 Team within EAI. As denoted in the diagram some customers access resources hosted in the cloud while others host their solution on-premise and connect back to EAI through an encrypted LAN tunnel (Cisco, 2016).

[pic]

2: Management

2.1 Roles and Responsibilities

• The Chief Executive Officer (CEO) is ultimately responsible for approving and authorizing all information security systems and personnel.

• The Chief Information Officer (CIO) is the executive head of the program who reports directly to the CEO. With respect to NIST 800-18 the CIO is the Authorizing Official (Swanson, 2006).

• The Chief Information Security Officer (CISO) reports to the CIO and runs the day-to-day operations of the all information system security operations. With respect to NIST 800-18 the CISO is the Information Owner (Swanson, 2006).

• All other team leads report directly to the CISO

2.2 Planning Management

The CIO is responsible for planning along with the CISO and all appropriate department heads. Any security plans developed must ensure EAI is meeting all laws, regulations and standards applicable to the solution.

2.3 Implementation Management

The CIO is responsible for ensuring implementation meets the needs of Everything AI. The CISO, however, is responsible for the actual day-to-day implementation.

2.4 Risk Management

The CIO is responsible for risk management at Everything AI.

2.5 Human Resource Management

The director of HR is responsible for human resources and will be responsible for implementing policies as developed by the CSIO and approved by the CIO.

2.6 Cost Management

Cost management is the responsibility of the CEO. Expenditures must be approved by the current budget or approved with special authorization by the CEO.

3: Planning

3.1 Information Security Implementation

Everything AI processes sensitive data for the US Federal Government. Our legal obligation to our customer requires us to establish processes for ensuring the security and confidentiality of restricted information and to establish administrative, technical, and physical safeguards to protect against unauthorized access or use of this information. Everything AI maintains policies, procedures and guidelines for information security that will at minimum meet our Federal legal obligations and the NIST Risk Management Framework’s recommendations (NIST, 2019) along with the META Security Group Information Security Policy Framework (Palmer, Robinson, & Patilla, 2000).

3.1.1 Physical security:

Physical security policies must clearly define locations where data is housed, the safeguards used to protect against unauthorized access (e.g. barriers, guards, biometrics), and how information contained within printed documents at EAI will be safeguarded.

3.1.2 Access control:

Every employee at EAI will be issued a Common Access Card (CAC) to enable physical access to EAI resources as well as electronic access to EAI information systems.

3.1.3 Website Data Security:

All websites and all external facing resources will be developed in accordance with the OWASP Top 10 best practices. At a minimum, an external security scan of all public facing resources will occur every quarter. If any deficiencies are noted the scans must happen every 30 days for the affected systems until the scans are clean for one calendar year.

3.1.4 Mobile and Cloud service:

EAI has implemented a Choose Your Own Device (CYOD) policy (Kaneshige, 2014). All full-time employees of Everything AI have the choice of a current generation smartphone or tablet that will be managed by EAI IT. The device you choose will be pre-configured to access your network resources including your company email account.

3.1.5 Timely Integration of Information:

EAI is a real-time data aggregator using machine learning to predict future vulnerabilities and anomalies. As such, the timely integration of information into our model is a must-have requirement. All policies which negatively affect the timely integration of information must be approved by the CEO and CIO.

3.1.6 Reliable Communication:

Much like timely integration, the need for reliable communication with our partners and customers is an absolute must.

3.1.7 System Development and Maintenance:

All system development and maintenance will follow secure coding standards with provisions for seamless rollback if unexpected issues are encountered. Regression testing, verification and formal validation are all required before pushing changes into production.

3.2 Contingency Planning

The purpose is to establish and implement, as needed, policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain sensitive information.

3.2.1 Natural Calamities:

In the event of a complete system-wide outage the procedures outlined in the Business Continuity policy will be implemented.

In the event a non-critical system is offline, IT will begin the process of restoring service either by machine restart, configuration change or restore from backup. This recovery may be delayed while IT determines the root cause of the failure.

All 24/7 circuits and VPN connections are considered critical to operations and the rules outlined in the critical system recovery phase will be followed.

3.2.2 Power Outage:

In the event of a complete system-wide outage the procedures outlined in the Business Continuity policy will be implemented.

3.3 Business Continuity Plan

EAI recognizes that there are significant risks to its essential business processes through potential and unexpected disruptive events. In an effort to mitigate these risks and minimize the time of an outage due to an unexpected event EAI maintains equipment and company data in two geographically disparate data centers.

Primary day-to-day operations occur on equipment hosted in our Fredericksburg, MD data center. All company and customer data reside on a Nimble SAN. This SAN is configured to replicate itself to another Nimble in Las Vegas, NV.

In the event of an outage in Fredericksburg, EAI can bring the volumes in the Las Vegas SAN online and resume operations as of the last snapshot. Databases are snapped every 10 minutes and servers are snapped daily. In the event of a major hurricane or some other cataclysmic event that disrupts the entire Maryland area, steps will be taken to bring our Las Vegas location online as the new primary datacenter.

4: Implementation Management

4.1 Proposed Timeline/Execution

The standard execution timeline of all policies is full implementation within 90 days of the authorization date. Per-policy timeline changes are subject to approval by the CISO or CIO.

4.2 Budget

EAI’s fiscal year matches the calendar year. Budges are developed in October-November and approved in December for the following fiscal year. EAI’s cyber security budget is approximately 20% of the overall Information Technology budget.

5: Risk Management

EAI uses the NIST Risk Management Framework (RMF) to provide a disciplined, structured, and flexible process that manages security risk and privacy risk.

[pic]

5.1 Risk Identification

Applying standard information classification and security categorization to information systems provides us with a similar benefit to utilizing a risk management framework that is well-defined and well utilized within industry. It takes the guesswork out of the areas we are most likely to make mistakes when developing our own categorization or risk management systems

5.2 Risk Assessment

Risk assessment is performed by the CIO and outside auditors on an annual basis. Risks are graded according to severity and expected likelihood or frequency with respect to the security objectives of Confidentiality, Integrity, and Availability. This follows the FIPS 199 impact definition model (U.S. Department of Commerce, 2004).

[pic]

5.3 Analysis & Prioritization

High severity and high likelihood risks are given the highest priority. A low severity and low likelihood risk will have a lower priority for mitigation.

5.4 Mitigation Planning, Implementation & Monitoring

Not all security controls are appropriate for every information system. A key step in the risk management framework is selecting the proper security controls for the information system under evaluation. We then implement the controls and evaluate with monitoring.

5.5 Risk Tracking

Risk are tracked according to the NIST Risk Management Framework 800-37 rev 2 ‘Monitor’ step. “The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions” (Joint Task Force, 2018).

5.6 Classification of Risk

Risk classification must be classified using both qualitative and quantitative risk assessment. Quantitative risk assessments must calculate an Annualized Loss Expectancy (ALE) for prioritization. A commonly used method of calculating economic impact risk is to use the following formula (Tan, 2002).

Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

Where the Single Loss Expectancy is the underlying Asset Value (AV) * an Exposure Factor (EF). The Exposure Factor is the percentage of asset loss caused by an identified threat and ranges from 0% to 100%. The calculation thus used at EAI is: ALE = (AV * EF) * ARO

5.7 Data Driven Risk

EAI has recently (late 2019) requested proposals for a comprehensive threat monitoring solution scheduled for deployment in 2020. The CIO and CISO will be able to monitor our risk posture in real-time using a data driven model which collects, aggregates, and reports on data feeds within EAI.

5.8 Business Driven Risk

Risks that may affect the business objectives must be assessed by the CEO and communicated downstream to the cyber security team. The CEO is in the best position to monitor the business threat landscape and the security team should provide the most actionable cyber threat intelligence possible back upstream for review. This cyber threat intelligence is what business threat information becomes after it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured techniques.

5.9 Event Driven Risk

Event driven risk is mitigated through our continuous data monitoring program. All events which pass automated false-positive testing are reviewed by security staff and appropriate actions are taken for remediation or mitigation.

6: Cost Management

6.1 Provide security infrastructure that reduces development costs

EAI’s security infrastructure reduces development costs by keeping all non-classified IT resources and compute environments in-house while outsourcing all classified information to AWS GovCloud. This hybrid on-premise and cloud-based approach allows us to maximize our budget utilization while offloading the extremely expensive security and compliance certifications and review for classified information handling.

6.2 Reduce operational costs

As mentioned in the infrastructure section, utilizing AWS GovCloud allows EAI to drastically reduce operational costs for sensitive information handling. “AWS GovCloud (US) is an AWS Region designed to address specific regulatory and compliance requirements of US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other US customers that run sensitive workloads in the cloud. Beyond the assurance programs applicable to all AWS Regions, the AWS GovCloud (US) Region allows customers to adhere to: US International Traffic in Arms Regulations (ITAR), Federal Risk and Authorization Management Program (FedRAMP), and Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Levels 2, 4, and 5” (Amazon, 2019).

6.3 Reducing development costs

EAI reduces development costs by integrating security early into the software development life cycle. The Systems Sciences Institute at IBM shows that it costs six times more to fix a bug found during implementation than to fix one identified during design. Fixing a bug in test costs fifteen times more and fixing a bug during the maintenance phase costs up to one hundred (100) times more than during design IBM, 2010).

6.4 Cost of Security

The security budget is approximately 20% of the overall information technology budget at EAI.

6.5 Planned costs

Expected costs annually include the full-time security team, infrastructure protection, and remediation costs. These include physical security controls, logical security controls, disaster recovery expenses, red/blue teams and the incident response team.

6.6 Potential costs

In the event of a data breach EAI may be subject to fines and other regulatory costs.

6.7 Comparative costs with industry

EAI’s cyber security budget is slightly higher than industry averages but is justified given our customer base and the importance of national defense.

7: Analysis & Recommendation Management

7.1 Key Elements

Key elements that must be considered for appropriate analysis and recommendation management are the overall systems architecture, the inter-connectedness of information assets, security controls, and remediation controls.

Other key considerations as outlined by CSAC Institute for Excellence in County Government (CSAC, n.d.)

• Key stakeholders are left out or consulted once risks have already occurred.

• Failure to employ consistent risk identification methodologies results in omitted and unknown risks.

• Risk assessments do not reflect organizational priorities and may not align with thresholds for acceptable risk.

• Risk assessment occurs sporadically or only after a major risk event has already occurred.

7.2 Conclusion and Future Work

This ISSP is a living document which must be reviewed quarterly and updated at least annually to take into account new threats, new regulations, and new developments in EAI’s business. On-going education of employees is a critical aspect of future protection.

8: Student Assessment of ISSP to Cyber Management

The ISSP for EAI is a critical foundational document describing our approach to cyber security in multiple domains. The document does not prescribe specific risks or controls but identifies the company’s approach toward development of these details. We require adherence to multiple standards and procedures developed by the US Federal Government’s National Institute of Standards and Technology (NIST). The NIST risk management framework (RMF) “includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle" (Joint Task Force, 2018). Adoption of the NIST RMF is a core component in EAI’s ISSP.

From a business management perspective, the ISSP allows us to confidently react to the marketplace and go fast while maintaining our security level. In this respect, the cyber security team is not a roadblock to progress but is an asset that aids the business by allowing the decision makers to capture a larger market share from customers who require a consistently high security level.

References

Amazon. (2019). AWS GovCloud (US) & Support FAQs. Retrieved from :

Cisco. (2016, July 21). LAN-to-LAN IPsec Tunnel Between Two Routers Configuration Example. Retrieved from Cisco:

Cornillie, C. (2019, March 28). Finding Artificial Intelligence Money in the Fiscal 2020 Budget. Retrieved from Bloomberg Government:

CSAC. (n.d.). Build an Organization-Driven IT Risk Management Program. Retrieved from :

IBM. (2010). Relative Cost of Fixing Defects. Retrieved from :

Joint Task Force. (2018, December). Risk Management Framework for Information Systems and Organizations. Retrieved from :

Kaneshige, T. (2014, June 24). Why One CIO Is Saying 'No' to BYOD. Retrieved from :

SANS. (n.d.). SCORE: Checklists & Step-by-Step Guides. Retrieved from :

Swanson, M. (2006, February). Guide for Developing Security Plans for Federal Information Systems. Retrieved from NIST:

Tan, D. (2002, December). Quantitative Risk Analysis Step-By-Step. Retrieved from : reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849

Touhill, G., & Touhill, C. (2014). Cybersecurity For Executives - A Practical Guide. Hoboken, New Jersey: John Wiley & Sons.

U.S. Department of Commerce. (2004, February). Standards for Security Categorization of Federal Information and Information Systems. Retrieved from :

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download