Information Technology / Security
WARNING: YOU MUST PARAPHRASE INFORMATION USED IN THIS ASSIGNMENT. Copy/Paste is only allowed for the names and designators of security controls and/or control families. All other information used in this assignment must be rewritten into your own words.
Company Background & Operating Environment
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating homes using “smart home” and “Internet of Things” technologies while maintaining period correct architectural characteristics. Please refer to the company profile (file posted in Week 1 > Content > CSIA 413 Red Clay Renovations Company Profile.docx) for background information and information about the company’s operating environment. In addition to the information from the company profile, you should:
· Use the Wilmington Headquarters (staff) office as the target for the System Security Plan
· Use Verizon FiOS as the Internet Services Provider (see http://www.verizonenterprise.com/terms/us/products/internet/sla/ )
Policy Issue & Plan of Action
A recent risk assessment highlighted the need to formalize the security measures required to protect information, information systems, and the information infrastructures for the company’s headquarters and field offices. This requirement has been incorporated into the company’s risk management plan and the company’s CISO has been tasked with developing, documenting, and implementing the required security measures. The IT Governance board also has a role to play since it must review and approve all changes which affect IT systems under its purview.
The CISO has proposed a plan of action which includes developing system security plans using guidance from NIST SP-800-18 Guide for Developing Security Plans for Federal Information Systems . The IT Governance board, after reviewing the CISO’s proposed plan of action, voted and accepted this recommendation. In its discussions prior to the vote, the CISO explained why the best practices information for security plans from NIST SP 800-18 was suitable for the company’s use. The board also accepted the CISO’s recommendation for creating a single System Security Plan for a General Support System since, in the CISO’s professional judgement, this type of plan would best meet the “formalization” requirement from the company’s recently adopted risk management strategy.
Your Task Assignment
As a staff member supporting the CISO, you have been asked to research and then draft the required system security plan for a General Support System. In your research so far, you have learned that:
· A general support system is defined as “an interconnected set of information resources under the same direct management control that shares common functionality.” (See NIST SP 800-18)
· The Chief of Staff for the company is the designated system owner for the IT support systems in the Wilmington, DC headquarters offices.
· The system boundaries for the Wilmington, DE office’s General Support System have already been documented in the company’s enterprise architecture (see the case study).
· The security controls required for the Wilmington, DE office’s IT systems have been documented in a security controls baseline (see the controls baseline attached to this assignment).
|
Section 13 of this document will take you the most time to research and write because it requires the most original writing on your part. You must write a description for EACH CONTROL CATEGORY (managerial, operational, and technical). Then, paste in the table from the Security Controls Baseline. THEN, write a descriptive paragraph explaining how these specific controls will work together to protect the Red Clay Renovations IT Infrastructure for the Wilmington, DE Offices (Headquarters).
|
URLs for Recommended Resources For This Project
|
Title |
Type |
Link |
|
Service Level Agreement (SLA) Internet Dedicated Services | Verizon Enterprise |
Web Page |
http://www.verizonenterprise.com/terms/us/products/internet/sla / |
|
NIST SP 800-100 Information Security Handbook: A Guide for Managers |
| |
|
NIST SP 800-12 R1: An Introduction to Information Security |
|
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf |
|
NIST SP 800-18: Guide for Developing Security Plans for Federal Information Systems |
|
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf |
|
NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations |
|
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf |
Research:
1. Review the information provided in the case study and in this assignment, especially the information about the headquarters and field offices and the IT systems and networks used in their day to day business affairs.
2. Review NIST’s guidance for developing a System Security Plan for a general support IT System. This information is presented in
a. NIST SP 800-12 R1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf Pay special attention to Chapter 2 and Section 5.4
b. NIST SP 800-18. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf Pay special attention to the Sample Information System Security Plan template provided in Appendix A.
3. Review the definitions for IT Security control families as documented in NIST SP 800-12 R1 Chapter 10. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
4. Review the definitions for individual controls as listed in Appendix F Security Control Catalog in NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf You should focus on those controls listed in the security controls baseline provided with this assignment.
Write:
1. Use the following guidance to complete the System Security Plan using the template from Appendix A of NIST SP 800-18.
a. Sections 1 through 10 will contain information provided in the assigned case study. You may need to “interpret” that information when writing the descriptions. “Fill in the blanks” for information about the company or its managers which is not provided in the case study, i.e. names, email addresses, phone numbers, etc.). Make sure that your fictional information is consistent with information provided in the case study (name of company, locations, etc.).
b. Section 11 should contain information about the Wilmington, DE headquarters office’s Internet connection Do not include the table. Use the business Internet Services Provider listed at the top of this assignment file. Describe the system interconnection type in this section and service level agreement.
c. Section 12 should contain information derived from the case study. You will need to identify the types of information processed in the headquarters offices and then list the laws and regulations which apply. For example, if the case study company processes or stores Protected Health Information, then this section must include information about HIPAA. If the company processes or stores credit card payment information, then this section must include information about the PCI-DSS requirements. For the Headquarters Offices you also have financial information which may be covered by regulations issued by the Securities and Exchange Commission.
d. Section 13 of the SSP will take the most research and writing time. You MUST provide the required descriptive paragraphs for the three categories AND the explanations as to how the security controls within the control families will be used to secure the IT infrastructure. You MUST use the selected security control families and security controls as provided security controls baseline.
i. Create 3 sub sections (13.1 Management Controls, 13.2 Operational Controls, and 13.3 Technical Controls). You must provide a description for each category (see the definitions provided in Annex 11.B Minimum Security Controls in NIST SP 800-100 Information Security Handbook: A Guide for Managers ).
ii. Using the information provided in the security controls baseline, place the required control families and controls under the correct sub section.
iii. Use the exact names and designators for the security control families and individual security controls. BUT, you MUST paraphrase any and all descriptions. Do NOT cut and paste from NIST documents.
e. Section 14: use the due date for this assignment as the plan complete date.
f. Section 15: leave the approval date blank. You will not have any other text in this section (since the plan is not yet approved).
2. Use a professional format for your System Security Plan. Your document should be consistently formatted throughout and easy to read.
3. You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s page count.
4. Common phrases do not require citations. If there is doubt as to whether or not information requires attribution, provide a footnote with publication information or use APA format citations and references.
5. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
6. Consult the grading rubric for specific content and formatting requirements for this assignment.
IT Security Controls Baseline for Red Clay Renovations
To ensure compatibility with existing policy and documentation, Red Clay Renovations’ IT Security policies, plans, and procedures will continue to use the following security control classes (management, operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6).
Security Controls Baseline
Red Clay Renovations Security Controls Baseline shall include the security controls listed below. Security control definitions and implementation guidance shall be obtained from the most recent version of NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
1. AC: Access Controls (Technical Controls Category)
|
AC-1 |
Access Control Policy and Procedures |
AC-1 |
|
AC-2 |
Account Management |
AC-2 (1) (2) (3) (4) |
|
AC-3 |
Access Enforcement |
AC-3 |
|
AC-4 |
Information Flow Enforcement |
AC-4 |
|
AC-5 |
Separation of Duties |
AC-5 |
|
AC-6 |
Least Privilege |
AC-6 (1) (2) (5) (9) (10) |
|
AC-7 |
Unsuccessful Logon Attempts |
AC-7 |
|
AC-8 |
System Use Notification |
AC-8 |
|
AC-11 |
Session Lock |
AC-11 (1) |
|
AC-12 |
Session Termination |
AC-12 |
|
AC-14 |
Permitted Actions without Identification or Authentication |
AC-14 |
|
AC-17 |
Remote Access |
AC-17 (1) (2) (3) (4) |
|
AC-18 |
Wireless Access |
AC-18 (1) |
|
AC-19 |
Access Control for Mobile Devices |
AC-19 (5) |
|
AC-20 |
Use of External Information Systems |
AC-20 (1) (2) |
|
AC-21 |
Information Sharing |
AC-21 |
|
AC-22 |
Publicly Accessible Content |
AC-22 |
2. AT: Awareness and Training (Operational Controls Category)
|
AT-1 |
Security Awareness and Training Policy and Procedures |
AT-1 |
|
AT-2 |
Security Awareness Training |
AT-2 (2) |
|
AT-3 |
Role-Based Security Training |
AT-3 |
|
AT-4 |
Security Training Records |
AT-4 |
3. AU: Audit and Accountability (Technical Controls Category)
|
AU-1 |
Audit and Accountability Policy and Procedures |
AU-1 |
|
AU-2 |
Audit Events |
AU-2 (3) |
|
AU-3 |
Content of Audit Records |
AU-3 (1) |
|
AU-4 |
Audit Storage Capacity |
AU-4 |
|
AU-5 |
Response to Audit Processing Failures |
AU-5 |
|
AU-6 |
Audit Review, Analysis, and Reporting |
AU-6 (1) (3) |
|
AU-7 |
Audit Reduction and Report Generation |
AU-7 (1) |
|
AU-8 |
Time Stamps |
AU-8 (1) |
|
AU-9 |
Protection of Audit Information |
AU-9 (4) |
|
AU-10 |
Non-repudiation |
Not Selected |
|
AU-11 |
Audit Record Retention |
AU-11 |
|
AU-12 |
Audit Generation |
AU-12 |
4. CA: Security Assessment and Authorization (Management Controls Category)
|
CA-1 |
Security Assessment and Authorization Policies and Procedures |
CA-1 |
|
CA-2 |
Security Assessments |
CA-2 (1) |
|
CA-3 |
System Interconnections |
CA-3 (5) |
|
CA-5 |
Plan of Action and Milestones |
CA-5 |
|
CA-6 |
Security Authorization |
CA-6 |
|
CA-7 |
Continuous Monitoring |
CA-7 (1) |
|
CA-9 |
Internal System Connections |
CA-9 |
5. CM: Configuration Management (Operational Controls Category)
|
CM-1 |
Configuration Management Policy and Procedures |
CM-1 |
|
CM-2 |
Baseline Configuration |
CM-2 (1) (3) (7) |
|
CM-3 |
Configuration Change Control |
CM-3 (2) |
|
CM-4 |
Security Impact Analysis |
CM-4 |
|
CM-5 |
Access Restrictions for Change |
CM-5 |
|
CM-6 |
Configuration Settings |
CM-6 |
|
CM-7 |
Least Functionality |
CM-7 (1) (2) (4) |
|
CM-8 |
Information System Component Inventory |
CM-8 (1) (3) (5) |
|
CM-9 |
Configuration Management Plan |
CM-9 |
|
CM-10 |
Software Usage Restrictions |
CM-10 |
|
CM-11 |
User-Installed Software |
CM-11 |
6. Contingency Planning (Operational Controls Category)
|
CP-1 |
Contingency Planning Policy and Procedures |
CP-1 |
|
CP-2 |
Contingency Plan |
CP-2 (1) (3) (8) |
|
CP-3 |
Contingency Training |
CP-3 |
|
CP-4 |
Contingency Plan Testing |
CP-4 (1) |
|
CP-5 |
Withdrawn |
--- |
|
CP-6 |
Alternate Storage Site |
CP-6 (1) (3) |
|
CP-7 |
Alternate Processing Site |
CP-7 (1) (2) (3) |
|
CP-8 |
Telecommunications Services |
CP-8 (1) (2) |
|
CP-9 |
Information System Backup |
CP-9 (1) |
|
CP-10 |
Information System Recovery and Reconstitution |
CP-10 (2) |
7. IA: Identification and Authentication (Technical Controls Category)
|
IA-1 |
Identification and Authentication Policy and Procedures |
IA-1 |
|
IA-2 |
Identification and Authentication (Organizational Users) |
IA-2 (1) (2) (3) (8) (11) (12) |
|
IA-3 |
Device Identification and Authentication |
IA-3 |
|
IA-4 |
Identifier Management |
IA-4 |
|
IA-5 |
Authenticator Management |
IA-5 (1) (2) (3) (11) |
|
IA-6 |
Authenticator Feedback |
IA-6 |
|
IA-7 |
Cryptographic Module Authentication |
IA-7 |
|
IA-8 |
Identification and Authentication (Non-Organizational Users) |
IA-8 (1) (2) (3) (4) |
8. IR: Incident Response (Operational Controls Category)
|
IR-1 |
Incident Response Policy and Procedures |
IR-1 |
|
IR-2 |
Incident Response Training |
IR-2 |
|
IR-3 |
Incident Response Testing |
IR-3 (2) |
|
IR-4 |
Incident Handling |
IR-4 (1) |
|
IR-5 |
Incident Monitoring |
IR-5 |
|
IR-6 |
Incident Reporting |
IR-6 (1) |
|
IR-7 |
Incident Response Assistance |
IR-7 (1) |
|
IR-8 |
Incident Response Plan |
IR-8 |
9. MA: Maintenance (Operational Controls Category)
|
MA-1 |
System Maintenance Policy and Procedures |
MA-1 |
|
MA-2 |
Controlled Maintenance |
MA-2 |
|
MA-3 |
Maintenance Tools |
MA-3 (1) (2) |
|
MA-4 |
Nonlocal Maintenance |
MA-4 (2) |
|
MA-5 |
Maintenance Personnel |
MA-5 |
10. MP: Media Protection (Operational Controls Category)
|
MP-1 |
Media Protection Policy and Procedures |
MP-1 |
|
MP-2 |
Media Access |
MP-2 |
|
MP-3 |
Media Marking |
MP-3 |
|
MP-4 |
Media Storage |
MP-4 |
|
MP-5 |
Media Transport |
MP-5 (4) |
|
MP-6 |
Media Sanitization |
MP-6 |
|
MP-7 |
Media Use |
MP-7 (1) |
11. PE: Physical and Environmental Protection (Operational Controls Category)
|
PE-1 |
Physical and Environmental Protection Policy and Procedures |
PE-1 |
|
PE-2 |
Physical Access Authorizations |
PE-2 |
|
PE-3 |
Physical Access Control |
PE-3 |
|
PE-4 |
Access Control for Transmission Medium |
PE-4 |
|
PE-5 |
Access Control for Output Devices |
PE-5 |
|
PE-6 |
Monitoring Physical Access |
PE-6 (1) |
|
PE-8 |
Visitor Access Records |
PE-8 |
|
PE-9 |
Power Equipment and Cabling |
PE-9 |
|
PE-10 |
Emergency Shutoff |
PE-10 |
|
PE-11 |
Emergency Power |
PE-11 |
|
PE-12 |
Emergency Lighting |
PE-12 |
|
PE-13 |
Fire Protection |
PE-13 (3) |
|
PE-14 |
Temperature and Humidity Controls |
PE-14 |
|
PE-15 |
Water Damage Protection |
PE-15 |
|
PE-16 |
Delivery and Removal |
PE-16 |
|
PE-17 |
Alternate Work Site |
PE-17 |
12. PL: Planning (Management Controls Category)
|
PL-1 |
Security Planning Policy and Procedures |
PL-1 |
|
PL-2 |
System Security Plan |
PL-2 (3) |
|
PL-4 |
Rules of Behavior |
PL-4 (1) |
|
PL-8 |
Information Security Architecture |
PL-8 |
13. PS: Personnel Security (Operational Controls Category)
|
PS-1 |
Personnel Security Policy and Procedures |
PS-1 |
|
PS-2 |
Position Risk Designation |
PS-2 |
|
PS-3 |
Personnel Screening |
PS-3 |
|
PS-4 |
Personnel Termination |
PS-4 |
|
PS-5 |
Personnel Transfer |
PS-5 |
|
PS-6 |
Access Agreements |
PS-6 |
|
PS-7 |
Third-Party Personnel Security |
PS-7 |
|
PS-8 |
Personnel Sanctions |
PS-8 |
14. RA: Risk Assessment (Management Controls Category)
|
RA-1 |
Risk Assessment Policy and Procedures |
RA-1 |
|
RA-2 |
Security Categorization |
RA-2 |
|
RA-3 |
Risk Assessment |
RA-3 |
|
RA-5 |
Vulnerability Scanning |
RA-5 (1) (2) (5) |
15. SA: System and Services Acquisition (Management Controls Category)
|
SA-1 |
System and Services Acquisition Policy and Procedures |
SA-1 |
|
SA-2 |
Allocation of Resources |
SA-2 |
|
SA-3 |
System Development Life Cycle |
SA-3 |
|
SA-4 |
Acquisition Process |
SA-4 (1) (2) (9) (10) |
|
SA-5 |
Information System Documentation |
SA-5 |
|
SA-8 |
Security Engineering Principles |
SA-8 |
|
SA-9 |
External Information System Services |
SA-9 (2) |
|
SA-10 |
Developer Configuration Management |
SA-10 |
|
SA-11 |
Developer Security Testing and Evaluation |
SA-11 |
16. SC: System and Communications Protection (Technical Controls Category)
|
SC-1 |
System and Communications Protection Policy and Procedures |
SC-1 |
|
SC-5 |
Denial of Service Protection |
SC-5 |
|
SC-7 |
Boundary Protection |
SC-7 |
|
SC-8 |
Transmission Confidentiality |
SC-8 |
|
SC-18 |
Mobile Code |
SC-18 |
|
SC-19 |
Voice Over Internet Protocol |
SC-19 |
|
SC-28 |
Protection of Information at Rest |
SC-28 |
|
SC-39 |
Process Isolation |
SC-39 |
17. SI: System and Information Integrity (Operational Controls Category)
|
SI-1 |
System and Information Integrity Policy and Procedures |
SI-1 |
|
SI-2 |
Flaw Remediation |
SI-2 (2) |
|
SI-3 |
Malicious Code Protection |
SI-3 (1) (2) |
|
SI-4 |
Information System Monitoring |
SI-4 (2) (4) (5) |
|
SI-5 |
Security Alerts, Advisories, and Directives |
SI-5 |
|
SI-7 |
Software, Firmware, and Information Integrity |
SI-7 (1) (7) |
|
SI-8 |
Spam Protection |
SI-8 (1) (2) |
|
SI-10 |
Information Input Validation |
SI-10 |
|
SI-11 |
Error Handling |
SI-11 |
|
SI-12 |
Information Handling and Retention |
SI-12 |
|
SI-16 |
Memory Protection |
SI-16 |
18. PM: Program Management (Management Controls Family)
|
PM-1 |
Information Security Program Plan |
all |
|
PM-2 |
Senior Information Security Officer |
all |
|
PM-3 |
Information Security Resources |
all |
|
PM-4 |
Plan of Action and Milestones Process |
all |
|
PM-5 |
Information System Inventory |
all |
|
PM-6 |
Information Security Measures of Performance |
all |
|
PM-7 |
Enterprise Architecture |
all |
|
PM-8 |
Critical Infrastructure Plan |
all |
|
PM-9 |
Risk Management Strategy |
all |
|
PM-10 |
Security Authorization Process |
all |
|
PM-11 |
Mission/Business Process Definition |
all |
|
PM-12 |
Insider Threat Program |
all |
|
PM-13 |
Information Security Workforce |
all |
|
PM-14 |
Testing, Training, and Monitoring |
all |
|
PM-15 |
Contacts with Security Groups and Associations |
all |
|
PM-16 |
Threat Awareness Program |
all |
Information System Security Plan Template (Use This)
1. Information System Name/Title:
• Unique identifier and name given to the system. [use information from the case study]
2. Information System Categorization:
• Identify the appropriate system categorization [use the information from the case study].
3. Information System Owner:
• Name, title, agency, address, email address, and phone number of person who owns the system. [Use the field office manager]
4. Authorizing Official:
• Name, title, agency, address, email address, and phone number of the senior management official designated as the authorizing official. [Use the company’s Chief Information Officer.]
5. Other Designated Contacts:
• List other key personnel, if applicable; include their title, address, email address, and phone number. [include the CISO, the ISSO, and other individuals from the case study, if appropriate]
6. Assignment of Security Responsibility:
• Name, title, address, email address, and phone number of person who is responsible for the security of the system. [use the case study information]
7. Information System Operational Status:
• Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status. [Use the case study information.]
8.0 Information System Type:
• Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in Section 9. General System Description/Purpose. [use the case study information]
9.0 General System Description/Purpose
• Describe the function or purpose of the system and the information processes. [use the case study information]
10. System Environment
• Provide a general description of the technical system. Include the primary hardware, software, and communications equipment.
[use the case study information and diagrams. Add brand names, equipment types as required (if not provided in the case study)]
11. System Interconnections/Information Sharing
• List interconnected systems and system identifiers (if appropriate), provide the system name, owning or providing organization, system type (major application or general support system) … add a fictional date of agreement to interconnect, and the name of the authorizing official.
12. Related Laws/Regulations/Policies
• List any laws or regulations that establish specific requirements for the confidentiality, integrity, or availability of the data in the system.
13. Minimum Security Controls
Use the security controls baseline as provided for this assignment. Include descriptive paragraphs for each section. Cut and paste the tables from the provided security controls baseline to add the individual security controls under each section. Use the sections and sub-sections as listed below.
13.1 Management Controls
[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]
13.1.1 [first control family]
[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]
13.1.2 [second control family]
…………
13.2 Operational Controls
[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]
13.2.1 [first control family]
13.2.2 [second control family]
…………..
13.3 Technical Controls
[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]
13.3.1 [ first control family]
13.3.2 [ second control family]
…………
Example:
14. Information System Security Plan Completion Date: _____________________
• Enter the completion date of the plan.
15. Information System Security Plan Approval Date: _______________________
• Enter the date the system security plan was approved and indicate if the approval documentation is attached or on file.
|
Red Clay Renovations |
|
Company Profile |
Table of Contents
Company Overview ......................................................................................................................................1
Corporate Governance & Management ................................................................................................... 1
Operations ................................................................................................................................................ 4
Acquisitions ............................................................................................................................................... 5
Legal and Regulatory Environment ........................................................................................................... 5
Policy System ............................................................................................................................................ 6
Risk Management & Reporting ................................................................................................................. 6
IT Security Management ........................................................................................................................... 7
Information Technology Infrastructure .......................................................................................................8
Enterprise Architecture ............................................................................................................................. 8
Operations Center IT Architecture ............................................................................................................ 9
Field Office IT Architecture ..................................................................................................................... 10
System Interconnections ........................................................................................................................ 11
Tables
Table 1. Key Personnel Roster......................................................................................................................3
Table 2. Red Clay Renovations Office Locations & Contact Information......................................................4
Figures
Figure 1. Red Clay Renovations Organization Chart.....................................................................................2
Figure 2. Overview for Enterprise IT Infrastructure......................................................................................9
Figure 3. IT Architecture for Operations Center.........................................................................................10
Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating homes using “smart home” and “Internet of Things” technologies while maintaining period correct architectural characteristics. The company’s primary line of business is Home Remodeling Services (NAICS 236118).
Corporate Governance & Management
Red Clay Renovations was incorporated in the State of Delaware in 1991 and is privately held. (Its stock is not publicly traded on a stock exchange.)The company maintains a legal presence (“Corporate Headquarters”) in Delaware to satisfy laws relating to its status as a Delaware corporation. The company has a five member Board of Directors (BoD). The Chief Executive Officer (CEO) and Chief Financial Officer (CFO) each own 25% of the corporation’s stock; both serve on the BoD. The CEO is the chair person for the BoD. The three additional members of the BoD are elected from the remaining stock holders and each serve for a three year term. The BoD provides oversight for the company’s operations as required by state and federal laws. Its primary purpose is to protect the interests of stockholders. Under state and federal law, the BoD has a fiduciary duty to ensure that the corporation is managed for the benefit of the stockholders (see http://www.nolo.com/legal-encyclopedia/fiduciary-responsibility-corporations.html). The BoD has adopted a centrally managed “Governance, Risk, and Compliance” (GRC) methodology to ensure that the corporation meets the expectations of stakeholders while complying with legal and regulatory requirements.
The company’s senior management includes the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Operating Officer (COO), Director of Architecture & Construction Services (A&C), Director of Customer Relations (CR), Director of Human Resources (HR), the Director of Information Technology Services (ITS), and the Director of Marketing and Media (M&M). The Director of ITS is dual-hatted as the company’s Chief Information Security Officer (CISO). These individuals constitute the Executive Board for the company and are responsible for implementing the business strategies, policies, and plans approved by the BoD. A separately constituted IT Governance Board is chaired by the Chief Operating Officer. The five directors (A&C, CR, HR, ITS, and M&M) serve as members of the IT Governance board. This board considers all matters related to the acquisition, management, and operation of the company’s information technology resources.
The CEO, CFO, and COO have been with the company since it started in 1991. The Directors for A&C, CR, and HR have over 20 years each with the company. The Director for M&M has ten years of service. The Director of ITS / CISO has been with the company less than two years and is still trying to bring a semblance of order to the IT management program – especially in the area of IT security services. This is a difficult task due to the company’s failure to promptly hire a replacement for the previous director who retired two years ago.
|
Table 1. Key Personnel Roster Name & Title |
Office Location |
Office Phone No. |
|
|
Josiah Randell CEO |
Wilmington |
910-555-2158 |
[email protected] |
|
Isabelle Bromley Executive Assistant to Mr. Randell |
Wilmington |
910-555-2150 |
Isabelle_Bromley@ redclayrennovations.com |
|
Natalie Randell Chief of Staff |
Wilmington |
910-555-2152 |
[email protected] |
|
Morgan Randell CFO |
Wilmington |
910-555-2159 |
[email protected] |
|
Julia Randell COO |
Owings Mills |
667-555-5000 |
[email protected] |
|
Edward Randell, Esq Corporate Counsel |
Wilmington |
910-555-1000 |
[email protected] |
|
Erwin Carrington CIO & Director IT Services |
Owings Mills |
667-555-6260 |
[email protected] |
|
Eric Carpenter CISO / Deputy CIO |
Owings Mills |
667-555-6370 |
[email protected] |
|
Amanda Nordham Director, Customer Relations |
Owings Mills |
667-555-6400 |
[email protected] |
|
Rebecca Nordham Director, Marketing & Media |
Ownings Mills |
667-555-6900 |
[email protected] |
|
Eugene Nordham Director, Architecture & Services |
Owings Mills |
667-555-8000 |
[email protected] |
|
Charles Knox Manager & Architect in Charge, Baltimore Field Office |
Baltimore |
443-555-2900 |
[email protected] |
|
Erica Knox Office Manager & ISSO, Baltimore Field Office |
Baltimore |
443-555-2900 |
[email protected] |
|
William Knox Manager & Architect in Charge, Philadelphia Field Office |
Philadelphia |
267-555-1200 |
[email protected]. |
|
Alison Knox-Smith Office Manager & ISSO, Philadelphia Field Office |
Philadelphia |
267-555-1200 |
[email protected] |
Operations
Red Clay Renovations has offices in Baltimore, MD, Philadelphia PA, and Wilmington, DE. The contact information for each location is provided in Table 2.
|
Table 2. Red Clay Renovations Office Locations & Contact Information Location |
Mailing Address |
Phone Number |
|
Baltimore Field Office |
200 Commardy Street, Suite 450 Baltimore, MD 21201 |
443-555-2900 |
|
Philadelphia Field Office |
1515 Chester Street Philadelphia, PA 19102 |
267-555-1200 |
|
Operations Center (Owings Mills) |
12209 Red Clay Place Owings Mills, MD 21117 |
667-555-6000 |
|
Wilmington Office |
12 High Street Wilmington, DE 19801 |
910-555-2150 |
The Operations Center is the company’s main campus and is located in suburban Baltimore, MD (Owings Mills). The Owings Mills facility houses the company’s data center as well as general offices for the company’s operations. These operations include: accounting & finance, customer relations, human resources, information technology services, marketing, and corporate management. There are approximately 100 employees at the Operations Center. Day to day management of the Owings Mills facility is provided by the company’s Chief Operating Officer (COO).
The company’s Chief Executive Officer, corporate counsel, and support staff maintain a presence in the company’s Wilmington, DE offices but spend most of their time at the Owings Mills operations center.
Field Offices are located in downtown Baltimore and suburban Philadelphia. Each office has a managing director, a team of 2-3 architects, a senior project manager, a business manager, and an office manager. Support personnel (receptionist, clerks, etc.) are contractors provided by a local staffing services firm. Each office operates and maintains its own IT infrastructure.
The company’s architects, project managers, and other support personnel frequently work from renovation sites using cellular or WiFi connections to access the Internet. Many field office employees are also authorized to work from home or an alternate work location (“telework site”) one or more days per week.
Acquisitions
Red Clay acquired “Reality Media Services,” a five person digital media & video production firm in 2015 (NAICS Codes 512110, 519130, and 541430). RMS creates a video history for each residential construction project undertaken by Red Clay Renovations. RMS also provides Web design and social media services for Red Clay Renovations to promote its services. RMS employees work primarily out of their own home offices using company provided equipment (computers, video / audio production equipment). Each employee also uses personally owned cell phones, laptops, digital cameras, and camcorders. While RMS is now wholly owned by Red Clay, it continues to operate as an independent entity. Red Clay senior management is working to change this, however, starting with bringing all IT and IT related resources under the company’s central management. As part of this change, Red Clay has set up a media production facility (“Media Studio”) in its headquarters location which includes office space for RMS personnel. The production facility and RMS operations are under the management control of the Director, Marketing & Media Services.
Legal and Regulatory Environment
The firm is licensed to do business as a general contractor for residential buildings in three states (DE, MD, PA). The company’s architects maintain professional licensure in their state of residence. The company’s general counsel is licensed to practice law in Delaware and Maryland. The Chief Financial Officer is a Certified Public Accountant (CPA) and licensed to practice in all three states.
The company collects, maintains, and stores personal information from and about customers over the normal course of doing business. This includes credit checks, building plans and drawings for homes, and information about a customer’s family members which needs to be taken into consideration during the design and construction phases of a project (e.g. medical issues / disabilities, hobbies, etc.).
When renovations are required due to a medical condition or disability, the company works with health insurance companies, Medicare/Medicaid, and medical doctors to plan appropriate modifications to the home and to obtain reimbursement from insurers. This sometimes requires that the company receive, process, store, and transmit Protected Health Information (PHI) generated by medical practitioners or as provided by the customer. The company’s legal counsel has advised it to be prepared to show compliance with the HIPAA Security Rule for PHI for information stored on computer systems in its field offices and in the operations center.
Red Clay began offering “Smart Home” renovation services in 2005 (NAICS Codes 541310 and 236118). These services are primarily offered out of the Baltimore and Philadelphia field offices. A large percentage of the company’s “smart home” remodeling work is financed by customers through the Federal Housing Administration’s 203K Rehab Mortgage Insurance program. Red Clay provides assistance in filling out the required paperwork with local FHA approved lenders but does not actually
process mortgages itself. Red Clay does, however, conduct credit checks on prospective customers and accepts credit card payments for services.
As a privately held stock corporation, Red Clay Renovations is exempt from many provisions of the Sarbanes-Oxley Act of 2002. But, in certain circumstances, i.e. a government investigation or bankruptcy filing, there are substantial criminal penalties for failure to protect business records from destruction or spoliation.
Policy System
The company’s Chief of Staff is responsible for the overall organization and management of the company’s collection of formal policies and procedures (“policy system”). The company’s policies provide guidance to employees and officers of the company (CEO, CFO, and the members of the Board of Directors) with respect to their responsibilities to the company. Policies may be both prescriptive (what “must” be done) and proscriptive (what “must not” be done). Responsibility for writing and maintaining individual policies is assigned to a designated manager or executive within the company. Each policy identifies the responsible individual by title, e.g. Director of Human Resources.
The major policy groupings are:
Human Resources
Financial Management
Information Technology
Employee Handbook
Manager Deskbook
Selected policies are published as an Employee Handbook and a Manager’s Deskbook to communicate them to individual employees and managers and to ensure that these individuals are aware of the content of key policies which affect how they perform their duties.
Risk Management & Reporting
The company engages in a formal risk management process which includes identification of risks, assessment of the potential impact of each risk, determination of appropriate risk treatments (mitigation, acceptance, transfer), and implementation of the risk management strategy which is based upon the selected risk treatments. For information technology related risks, the CISO working in conjunction with the IT Governance Board is responsible for identifying and assessing risks.
Corporate-wide, high level risks which could impact the company’s financial performance are disclosed to shareholders during the annual meeting and in the Annual Report to Investors. For the current year, the following high level cybersecurity related risks will be disclosed.
1. Cyber-attacks could affect our business.
2. Disruptions in our computer systems could adversely affect our business.
3. We could be liable if third party equipment, recommended and installed by us (e.g. smart home controllers), fails to provide adequate security for our residential clients.
The company’s risk treatments for cybersecurity related risks include purchasing cyber liability insurance, implementing an asset management and protection program, implementing configuration baselines, implementing configuration management for IT systems and software and auditing compliance with IT security related policies, plans, and procedures.
The corporate board was recently briefed by the Chief Information Officer concerning the company’s IT Security Program and how this program contributes to the company’s risk management strategy. During the briefing, the CIO presented assessment reports and audit findings from IT security audits. These audits focused upon the technical infrastructure and the effectiveness and efficiency of the company’s implementation of security controls. During the discussion period, members of the corporate board asked about audits of policy compliance and assessments as to the degree that employees were (a) aware of IT security policies and (b) complying with these policies. The CIO was tasked with providing audit reports for these items before the next quarterly meeting of the corporate board.
The corporate board also asked the CIO about future plans for improvements to the IT Security program. The CIO reported that, in the coming year, the CISO will begin implementation of an IT vulnerability management program. The CIO also reported that the CISO is working with the IT Governance Board to restart the company’s security education, training, and awareness (SETA) program. SETA activities had fallen into disuse due to a perceived lack of quality and lack of timeliness (out of date materials). The CISO has also determined that the System Security Plans for the field offices are out of date and lacking in important security controls. These plans have been scheduled for update in the near future to ensure that the company’s risk management strategy for cybersecurity risks is fully implemented.
IT Security Management
The company’s Chief Information Security Officer (CISO) is responsible for providing management oversight and technology leadership for the company’s Information Technology security program. This program is designed around the ISO 27001/27002 requirements but is not fully compliant. For cost reasons, the Chief Information Officer (CIO) has decided not to pursue implementation of CobiT or ITIL standards for managing IT systems and services. A less costly alternative, using NIST guidance documents, was approved at the CISO’s suggestion. The CISO’s selected guidance documents include:
NIST SP 800-12 “An Introduction to Computer Security: The NIST Handbook:
NIST SP 800-18 “Guide for Developing Security Plans for Federal Information Systems”
NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations”
NIST SP 800-100 “Information Security Handbook: A Guide for Managers”
NISTIR 7621 “Small Business Information Security: The Fundamentals”
The CISO has determined that the closest fit for the level of security required by law for the company’s IT systems is the “moderate level” as defined in the FIPS 199/200 standards and specified in NIST SP 800-53 Revision 4. The company has created its own minimum security controls baseline which is used for developing system security plans.
Under the company’s existing IT Security Management Plan, the following individuals are responsible for the security of its IT systems.
1. Chief Information Officer: designated approving official for all IT systems certification and authorization.
2. Chief Information Security Officer: responsible for developing security plans and procedures.
3. Chief Financial Officer: responsible for negotiating and providing oversight for contracts and service level agreements for IT services.
4. Chief Operating Officer: responsible for approval of and compliance with security plans and procedures for the company’s IT Operations Center. The COO is the system owner for all IT systems in the operations center.
5. Field Office Manager: responsible for approval of and compliance with security plans and procedures for his or her field office. The field office manager is the system owner for all IT systems in his or her field office.
6. Field Office Information Systems Security Officer (ISSO): responsible for day to day implementation of security plans, processes, and procedures.
Information Technology Infrastructure
Enterprise Architecture
The overview for the enterprise IT architecture for Red Clay Renovations is shown in Figure 2. This diagram shows the interconnections between the company’s field offices and the operations center. Each facility-to-facility interconnection is made via a Virtual Private Network (VPN). The VPN connects the Local Area Networks (LANs) in the operations center and the field offices to the company’s enterprise network. All IT systems are in the operational phase of the Systems Development Lifecycle. The company does not have plans at this time to upgrade (“major modification”) or implement (“under development”) any IT systems.
Operations Center IT Architecture
The Owings Mills facility (see Figure 3) contains the company’s operations (data) center as well as general offices for the company’s operations. These operations include: accounting & finance, customer relations, human resources, information technology services, marketing, and corporate management.
Field Office IT Architecture
The company’s corporate headquarters are located in Wilmington, DE. These offices have the same IT architecture as is used by the field offices in Baltimore and Philadelphia (see Figure 4). The company’s Chief Executive Officer and support staff maintain a presence in Delaware but spend most of their time at the Owings Mills operations center. The company’s architects, project managers, and other support personnel frequently work from renovation sites using cellular or WiFi connections to access the Internet. Many field office employees, including “Reality Media Services” staff, are also authorized to work from home or an alternate work location (“telework site”) one or more days per week.
Red Clay’s offices have been remodeled to use the “smart home” and “Internet of Things” technologies which it installs in the residential buildings that it rehabilitates. These devices have IP addresses and are connected to the in-office wireless network (WiFi). Each smart device has a controller which can be accessed via a Web-based interface that runs on the office’s application server (username and password required). The brand and type of equipment varies. The majority of these devices have little to no security beyond a password protected Web-based logon. Every Red Clay location also has one or more conference rooms which provide “smart” podiums, projection and video conferencing technologies, and wireless network access to both the internal network and the Internet.
All locations use Dell computers for laptops, desktop computers, and servers. The laptops and desktops were recently upgraded to Windows 10 Enterprise for their operating systems. The servers are running Windows server 2012. All Windows systems have Symantec Endpoint Protection installed for host-based security (anti-malware, host-based firewall, host-based intrusion detection).
Figure 4. “Smart” Office IT Architecture (Baltimore, Philadelphia, Wilmington)
Each field office uses the same logical architecture. This infrastructure consists of a local area network with both wired and wireless segments. A wiring closet containing the premises router and switches is located in the office space (labeled “Utilities” in the diagram). The “smart office” and “IoT” devices are also located within the office suites and are connected via WiFi to the Wireless Access Points and from there to the office LAN. These devices are individually addressable via their IP addresses. Some have onboard programmable controllers with Web based interfaces. Others have limited onboard functionality and must be controlled via a central console (which has an IP address and Web based interface). The RFID system used to control access to doors has sensor plates affixed to the walls. These sensors are hard wired to a controller in the utilities closet. This controller connects to the local area network and can be accessed via a Web based interface using its IP address. Access control for the Web based interfaces (used for RFID system and “smart” device control) is limited to password protected logons.
System Interconnections
The Operations Center and the individual Field Offices connect to the Internet via a business grade Internet Services Provider with a standard Service Level Agreement (as established by the ISP). Systems interconnections between internal systems and between facilities are certified and approved by the Chief Information Officer. These interconnections include Virtual Private Network connections between the Operations Center and the Field Offices over ISP provided networks). The VPN is used to protect the confidentiality and integrity of information transmitted between IT systems located in the company’s field offices, its headquarters, and the operations center. (See Information Technology Infrastructure later in this document for additional information about system interconnections.)
The operations center and field offices each have their own network infrastructure built on CISCO branded equipment (Virtual Private Network (VPN), wired and wireless local area networks, wireless access points, switches, a premise firewall, and intrusion detection system). Offices and server rooms have RJ-45 wall jacks for 100BaseT “wired” connections to the local area network. Network equipment serving individual LAN segments is located in locked equipment closets (“wiring closets”) within the office areas.
The company’s Wide Area Networking (WAN) and Internet services are provided by Verizon Business services. These services include static IP addresses for the company’s network connections and domain name service for the company’s primary domain name (RedClayRenovations.com) and multiple third level domain names (e.g. balt.redclayrenovations.com, philly.redclayrenovations.com, etc.). The company owns, operates, and manages its own Active Directory server, multiple Web servers, Email servers, file and print servers, and multiple application /database servers. These servers are accessed via local area network (LAN) and virtual private network (VPN) connections. The Email and public Web servers are located in a protected network segment (Demilitarized Zone AKA DMZ) and are accessible from both internal and external networks.
Verizon provides fiber optic cables to the building demarc. Internally, the company owns the cable infrastructure and has predominantly Cat 5 cabling inside the buildings. Company owned cabling also runs from the Verizon owned demarc to a company owned/maintained central wiring closet. This closet also contains routers and switches serving the internal LANs.
Telephone service is provided to each office building via fiber optic cables (as part of the FiOS business services). Internal to the buildings, telephone service routes through an Alcatel Private Brach Exchange (PBX) system over ANSI/TIA/EIA-568-B compliant wiring (predominantly Cat 3 cabling). The PBX system does not connect to the company’s internal networks.
The company allows employees to bring and use their own personal digital devices (laptops, cell phones, cameras, etc.) provided that these devices are required to perform their duties. Contract employees are not allowed to “bring your own device” (BYOD) and will be terminated if they are found to be using cell phones or personal computers on the company’s premises. Employees carry an RFID enabled “proximity access” card which they use to access offices and other restricted areas. BYOD devices are NOT allowed to connect directly to the company’s VPN. These devices are restricted to WiFi access to the Internet using the company’s wireless access points.
Rubic
Sections 1 - 8 (System Identification)
Max points
Sections 1 - 8 present a thorough and complete identification of the system (Office General IT Support), the responsible individuals, and the system status. Key personnel (Section 5) roster contains three or more appropriate designated officials. Used information from the Company Profile.
Section 9: System Description / Purpose
Max points
Provided an excellent description of the HQ Office General IT Support System. Integrated Company Profile information to describe the business operations supported by the hardware, software, and networks which comprise the "General IT Support" system. Included information about the types and sensitivity of information processed by this system. Described the "smart home" and "Internet of Things" capabilities which are supported by the office IT systems.
Section 10: System Environment
Max points
Provided an excellent description of the enterprise architecture for the HQ Office General IT Support System. Integrated Company Profile information to clearly and accurately describe the hardware, software, and networks which comprise the "General IT Support" system. Included information about the devices and controllers used for the "smart home" and "Internet of Things" capabilities which are used by the HQ office.
Section 11: System Interconnections / Information Sharing
Max points
Used information from the Company Profile to identify (name) 5 or more interconnected systems and networks (including the LAN/WAN network connections between the HQ office and the operations center). Provided an excellent description for each that included the types and sensitivity levels of information transmitted over the connection (e.g. company proprietary information, customer information, public Internet information). Named the "owning" organization and responsible ISSO.
Section 12: Related Laws / Regulations / Policies
Max points
Provided an excellent overview of laws, regulations, and policies which establish specific requirements for the confidentiality, integrity, and availability of the data collected, processed, and/or stored in the HQ Office General IT Support System. Named and described the applicability of 5 or more federal or state laws and regulations. Identified and described at least one internal policy which applies to the use of this system.
Section 13 (a) Minimum Security Controls: Management Controls Category
Max points
Provided a clear, concise and accurate summary of the Management Controls as provided in the security controls baseline for the target company (Red Clay Renovations). Named and described each of the required control families (e.g. CA) listed under the "management controls" category (in the baseline) using information from NIST SP 800-53. For each "family" listed in the baseline under this category, identified (listed) the specific controls (e.g. CA-1) and provided a excellent description of how the controls in each family work together to mitigate threats and vulnerabilities.
Section 13 (b) Minimum Security Controls: Operational Controls Category
10 points
Provided a clear, concise and accurate summary of the Operational Controls as provided in the security controls baseline for the target company (Red Clay Renovations). Named and described each of the required control families (e.g. AT) listed under the "operational controls" category (in the baseline) using information from NIST SP 800-53. For each "family" listed in the baseline under this category, identified (listed) the specific controls (e.g. AT-1) and provided a excellent description of how the controls in each family work together to mitigate threats and vulnerabilities.
Submitted work shows outstanding organization and the use of color, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.
Section 13 (c) Minimum Security Controls: Technical Controls Category
Max points
Provided a clear, concise and accurate summary of the Technical Controls as provided in the security controls baseline for the target company (Red Clay Renovations). Named and described each of the required control families (e.g. AC) listed under the "technical controls" category (in the baseline) using information from NIST SP 800-53. For each "family" listed in the baseline under this category, identified (listed) the specific controls (e.g. AC-1) and provided a excellent description of how the controls in each family work together to mitigate threats and vulnerabilities.
Sections 14-15: Completion & Approval Dates
Max points
Included both sections from the template file (14 & 15) and entered the completion date for the plan.
Execution
Max points
Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color).
No word usage, grammar, spelling, or punctuation errors. All quotations (copied text) are properly marked and cited using a professional format (APA format recommended but not required.)