Management and Cyber Security

Quick Description of Management and Cyber Security

Management of specialized teams requires an understanding of the challenges those teams face and an ability to document guidance around addressing those challenges. This topic focused on the management needs of a cyber security team, focusing on building out an Information Systems Security Plan that informs all parties involved of the security needs for a given asset. Managers in an organization not only need to understand risk, business needs, and operational challenges, but they also need to ensure they are following proper steps to procure, implement, manage, and monitor systems to make the business successful.

An Example Information Systems Security Plan (ISSP)

As the final project around this subject, we were required to create an Information Systems Security Plan for a fictitious company. With my professional experience around a K12 school district, I focused on creating an ISSP for a fictitious school district. The paper below provides information around the Company Summary, Management structure, Planning, Risk Management, Cost Management, Analysis and Recommendations, and Assessment of the ISSP.

Reflection

Going through a program that focuses on Operations and Leadership this topic was a key factor in helping set expectations on standards required in managing teams and systems in this field. Creating strong Information System Security Plans (ISSP), understanding the role of each stakeholder, and most importantly being able to provide guidance on these systems as they affect the business side of the organization are all aspects of a strong leader. Having the structure of the ISSP helps me think through how the security solutions I build with my customers are truly impacting their business. It helps me provide them with guidance and show that I care about their overall security posture and not just a specific function where our products play. Additionally, during the assignment, we took into consideration various compliance requirements and how they affect our system and those that operate it. As a leader, it's crucial to understand that compliance is always going to be a factor in your environment, but it should be the baseline of security for you to build better controls on top of.

Ethically, it's important that any leader of an environment, especially those that manage systems (not just people) understand the importance of strong documentation for a security posture. Building an ISSP not only shows you have focused on the security of a given system, but it also leaves crucial information in place to ensure that others can continue to secure the system without you being present. Setting the guidance around roles and responsibilities as well as how a plan is implemented should leave no decision to guessing or without the appropriate authority to answer. This allows the business to continue to operate as normal in the event that you or other crucial operators of the system are no longer available.

Ultimately, having a strong understanding of the management of systems and documentation of their security through an ISSP allows security professionals and the organizations they work for to bring systems online in a secure manner as quickly as possible. Regular review of these plans allows for growth as the environment (both business and threat) changes. In the event that unexpected changes do occur, contingency planning allows for organizations to adapt quickly and limit damages. Combined, planning and implementation provide strong security operations for an organization, enabled through the leadership we've learned during this topic.

References

National Institute of Standards and Technology. (2020). NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Radack, S. (2004). FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 199, STANDARDS FOR SECURITY CATEGORIZATION OF FEDERAL INFORMATION AND INFORMATION SYSTEMS. National Institute of Standards and Technology. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=150427

Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010). NIST Special Publication 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems (Rev. 1 ed.). National Institute of Standards and Technology.

Swanson, M., Hash, J., & Bowen, P. (2006). NIST SP800-18, Guide for Developing Security Plans for Federal Information Systems. National Institute of Standards and Technology.