Information Security Management Project: Pennoni Associates Inc.
Assignment Name and Number
Team Member(s) Name(s)
Business Advisor and Company
Professor’s name
Class Name and Number (e.g., ISEC-695 Summer 2016)
Due date
Table of Contents
Introduction 3
The Problem at Pennoni Associates 4
Risk Management Analysis (RMA) Outline 5
Project Scope and Goals 5
Recommended Solution and the Action Plan 6
Anticipated Results 8
Proposed Costs 9
Conclusion 9
References 10
Technical Appendix 11
Introduction
Information security management encompasses the process of protecting information and its respective assets in order to preserve its integrity, confidentiality, and availability (Al-Dhahri et al., 2017). In the current IT-enabled world, information is considered the lifeblood of any present organization. Therefore, securing information resources becomes a fundamental element of business operations. Malicious parties across the universe are continually looking for vulnerabilities within the information resources to exploit, which can be very detrimental to a company’s resources and reputation. It is prudent that an organization has a sound information security management system (ISMS) that will effectively manage the information assets Susanto et al., 2011). The ISMS is typically a set of implemented policies for defining, constructing, developing, and maintaining both the hardware and software resources.
Pennoni Associates Inc. is a civil engineering firm that offers various services, including building and construction, material testing and certification, consultancy, among others. The company has a wide range of customers from different sectors, including the government, the entertainment industry, academia, and business organizations. The company operates 28 offices with at least 950 employees. The company is mandated to protect its information resources from malicious attackers. However, the company experiences challenges in managing its network due to minimal visibility. The company considered the deployment of the Cisco Meraki VPNs across its distributed network due to its ability to control the system from a central location. Also, the solution would provide aid in providing WiFi top of its 28 offices and also manage the traffic within the network.
The Problem at Pennoni Associates
The organization, Pennoni Associates, is facing the challenge of network visibility within its extensive distribution network. Network visibility ensures the organization can meet the specific needs of the network’s security and management in its IT systems. Network visibility will help ensure that the performance of applications is at optimum levels since it gained insights on how well they are functioning (Jacob, 2014). However, weak network visibility for the organization means that the network does have blind spots that could cause the system to fail to identify the vital security threats, performance anomalies, and availability problems. Pennoni Associates is therefore finding it difficult to address the blindspots, yet its network continues to grow complex.
The company finds it difficult to monitor its network, which exposes the company to security vulnerabilities. The lack of proper network visibility would mean that its different infrastructures may have other configurations as the rest of the devices, meaning that unauthorized persons could access it. Even the performance of the devices could be drained (Hein, 2019). When a malicious attacker gets access to confidential information, they can manipulate the company to pay ransoms to get the data back. The extensive distributed network with a lack of proper monitoring demonstrated numerous vulnerabilities to be exploited at any different time.
Risk Management Analysis (RMA) Outline
Risk Rank Risk Description Likelihood of Occurrence Impact on the Organization Proposed Action Item
1 Exposure of Organization’s Information and Information Assets High Probability of Occurring Access Control Programs and encryption Algorithms.
2 The entry of Malware Into the Network High Probability Malware defenses such as firewalls and Implementation of an Effective Antivirus monitoring and removal program
3. Unauthorized Parties Prying Into Unencrypted Data Traffic High Probability Strong Encryption
4. Users are getting Broader Access To the Organization’s Sensitive Data Than appropriate. Moderate Probability Network Access Policies
5. Reduced employee productivity Moderate Probability Sufficient monitoring systems.
6. Tool Inefficiency Moderate Probability Security fabric with a Visibility Solution
Project Scope and Goals
This project’s main intention is to have Pennoni Associates implement a solution that will increase the network visibility of its distributed network across its 28 offices. The primary objective is to ensure that a central location is monitoring the systems, including the data traffic out and into the systems, and optimizing efficiency. To this effect, the primary goals and objective of the project include:
1. Identification of the cybersecurity issues being faced by Pennoni Associates Inc concerning their networks.
2. Determine the impact on networks by introducing the VOPNS.
3. Recommend the strategies which could be abducted by Pennoni Associates Inc in its bid to enhance the network.
Recommended Solution and the Action Plan
The NIST Cybersecurity Framework will be used as a guide in implementing the recommended solution and action plans for Pennoni Associates as the project wants to improve the network’s visibility across the distributed system. According to this cybersecurity framework, the process will encompass four core functions, namely:
1) Identify: In this function, the team analyzes the distinct cybersecurity challenges faced by Pennoni Associates. This will entail understanding the organization of why the cybersecurity risk has to be managed among the people to bring together all resources and capabilities for the project. This function’s outcomes will include Information asset management, Business Environment, Risk assessment, and Risk Management strategy.
2) Protect: In this function, the team will develop the proper safeguards to ensure that critical services are delivered adequately (Barrett, 2018). The Outcome categories expected from this function with respect to the network challenge include Access Control programs, Data Security awareness, and Training, Information Protection Procedures such as monitoring, maintenance, and appropriate protective technology.
3) Detect: This function will encompass the development of appropriate activities that will help identify a cybersecurity event on time. This function’s outcome categories include the related risks to poor network visibility and a continuous detection and monitoring process.
4) Respond: this function includes proper activities to handle the detected cybersecurity threats with the outcome categories being the Response Planning procedures, Communication Procedures, Mitigation process, and Improvements Analysis.
5) Recover: the function will entail proper operations that will ensure that the systems’ resilience is maintained and the services and capabilities are restored promptly in case of a cybersecurity threat. Its focus is to have regular operations within the organization resume fast enough to mitigate the impact of a cybersecurity threat (Barrett, 2018).
Notably, the use of this framework by NIST in this project will follow several steps to improve the existing program. The steps to be followed include:
1. Prioritization and scope where the organization establishes its objectives and the priorities are high levels. The information will guide the team to make the strategic decisions concerning cybersecurity implementations and determine the systems’ scope and assets needed in this project.
2. Orientation where the organization points out the related systems, assets, regulatory requirements, and the entire risk approach. The systems’ threats and vulnerabilities are also identified (Barrett, 2018).
3. Creation of the current profile where the team focuses on understanding the current systems environment and establishing both the category and subcategory outcomes from the framework’s elements. This guides in ensuring they are achieved, and if not, then the right subsequent steps for their achievement are developed.
4. Conducting the Risk assessment, which is guided by the organization’s risk assessment operations. The operational environment is to be analyzed to discern the probability of various cybersecurity events and their respective impacts.
5. Creating the target profile which is establishing the desired outcomes from the project which will be demonstrated through achievement of the categories and subcategories of the framework core (Barrett, 2018)
6. Determining, Analysis, and Addressing any gaps between the present and target profile.
7. Implementation of the Action Plan, the cybersecurity measures, and the gaps are preventing achieving the desired result. Also, a continuous assessment of the systems will continuously be done to ensure that its cybersecurity position is improved.
Anticipated Results
Upon completing the project where the recommended VPN has been implemented in conjunction with other cybersecurity measures, Pennoni Associates’ system should have improved network visibility. The central location should be able to monitor the entire distributed network and its users, ensuring everyone is accessing the information on a need-to-know basis. Any anomalies are to be identified within the system and prompt measures implemented before a cybersecurity risk occurs or the negative impact mitigated in case it happens.
Proposed Costs
Proposed Item Cost ($)
Purchase of VPN Software 500
Implementation of Access Control Systems, Encryption Algorithms, and Anti-Malware Programs. 500
Purchase and Implementation of Monitoring System 350
Action plan Operational Costs 400
Training Expenses for System Users 250
Budgeted Annual Maintenance Expenses 500
Total 2500
Conclusion
This project for Pennoni Associates is focused on improving the network visibility of its systems. Currently, the organization’s system is at Tier 1: Partial with no proper risk management processes, limited awareness on its cybersecurity risks, and has no understanding of its position in the ecosystem with respect to both the dependents and dependencies. Nonetheless, through the project, the team intends to take it to a position of better risk management process and cybersecurity measures that ensure that all users and other stakeholders have their information protected.
References
Al-Dhahri, S., Al-Sarti, M., & Abdul, A. (2017). Information Security Management System. International Journal of Computer Applications, 158(7), 29-33.
Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology, Gaithersburg, MD, USA, Tech. Rep.
Hein, D. (2019, August 6). Why is visibility important for network monitoring? Retrieved from https://solutionsreview.com/network-monitoring/why-is-visibility-important-for-network-monitoring/
Jacob, N. M. (2014). Network Visibility As Key Measure To Network Management.
Susanto12, H., Almunawar, M. N., & Tuan, Y. C. (2011). Information security management system standards: A comparative study of the big five. International Journal of Electrical Computer Sciences IJECSIJENS, 11(5), 23-29.
Technical Appendix
The information gained by the project team on the cybersecurity challenges faced by Pennoni Associates was fundamental in determining the cybersecurity measures needed by the organization’s system to improve its network visibility. In this way, the project would identify the risks that the system faces and determine their respective measures that will prevent and mitigate their impact. The DCisco VPN is the primary solution considered by the project, among other actions such as access control systems, encryption, increasing awareness among the system users, and the Implementation of continuous monitoring and maintenance policies.
The team has considered the initial costs of Implementation and continuous maintenance to ensure that the systems’ security is maintained. The users’ training is fundamental since human users are considered the weakest links in putting the systems at risk. The NIST Framework is to guide the implementation process of the cybersecurity measures that ensure that the project can cover all the relevant matters.