Wilde

Security Staffing Proposal-Final

Wilde, John 6.15.11 City University ISEC 500

Wilde

Security Staffing Proposal-Final

Abstract
The purpose of this paper is to give a proposal of a staffing solution for a fictional company. The purpose of this staffing outline is to illustrate knowledge of what security measures and controls need to be implemented. This paper will also justify each position proposed with roles defined. Some of those roles are incident response team, operating system handling, network operations, employee security training, human resources, and other roles that need to work with the security team. The end result should show an idea of staffing needs and ones responsibility in an organization.

Wilde Let us first start out by introducing the company that will be staffed. I have experience in finance so I will pick a mortgage company. This company is licensed in the state of Washington. To set back ground the parent company named ABC Mortgage hires successful loan officers to work as Branch Managers. Each office is under the control of the branch manager and needs to comply with all federal laws, state laws, and management rules outlined by the parent company. Given the nature of the information collected and the technology used today to send information back and forth over the internet, the way data is stored on computers the owner will need to have an information security team to protect customer data. This paper plans to share the positions needed and the roles each person will play in protecting the data. In

addition, some time will be spent on justifying each position to the data owner so the owner feels the staff is justified given the expense. The Staff As this paper is going to focus on the information security team the owner will be who over sees the Chief Information Security Officer (CISO) that the owner employs to ensure that customers information remains secure and stored per laws that relate to the industry. The CISO has been given a small staff to manage the branches. One of those management positions is the Senior information Security Officer (SISO). The SISO will have three Information Security Officers (ISO) that will work with all the local branches assigned by area. Each local branch will have a User Representative (UR) assigned and provide work orders to the ISO if special attention is required. The UR will be the senior loan officer of each branch. The Branch Manager (BM) will act as the physical control specialist at each location. A diagram is provided below (Fig 1)
Owner

CISO

Wilde

SISO
Floats as needed

BM/ISO-1/UR Snohomish Office

BM/ISO-1/UR Everett office

BM/ISO1/UR Lynnwood

BM/ISO2/UR Seattle Office

BM/ISO-2/UR Tacoma Office

(Fig 1)

BM/ISO3/UR Vancouver

BM/ISO-3/UR Longview

Roles The CISO will provide the security vision to the business. The CISO will work directly with the SISO with emerging issues and ensure that daily security operations are carried out. The CISO will create the SSAA document in cooperation with the SISO and local branch ISOs. The CISO will also provide a once a year update on the SSAA document and any changes for the data owner to provide the ATO (Approval to Operate). The CISO will also create and implement a security policy manual for all employs to follow that supports the security vision and update as needed (yearly at minimum). A quarterly report will also be provided to the data owner by the CISO on security incidents, remedies, any hardware purchase recommendations, needed software upgrades, or system updates (except emerging issues). The CISO will set up and attend monthly security meetings with his SISO to keep current on local branch issues. The CISO will provide supervision that the systems controls are implemented per the SSAA

Wilde document with support of the SISO. The CISO will also obtain an independent audit of the system once a year, or if needed due to possible insider threats. The SISO will carry out the CISO security vision to the local branch ISO. The SISO will report on any emerging issues to the CISO as they arise from the local branch ISOs. The CISO will assist in the creation and yearly update of the SSAA document for an ATO to be

granted. The SISO will delegate responsibilities to each branch ISO for contributions needed to the SSAA document. The SISO will also work with human resources for new hires training on security guidelines and procedures as provided by the security policies manual. The SISO will obtain monthly reports monthly from the local ISOs that include incidents, problem identification, remedies, and long term fix recommendations for required quarterly reports (unless urgent). The SISO will also obtain computer system audit reports and include results in the quarterly reports to the CISO. The SISO will attend monthly meetings with each local BM/ISO. As the BM is acting as a physical security specialists for each location a report will be obtained by the SISO from the BM on breaches, or damage so appropriate repairs can be done. BM (doubling as physical security specialist) is responsible for locking or unlocking all doors to buildings. The BM will check computer system rooms are locked and building alarms are turned on or off. Unlocking or locking of all file cabinets after ensuring no files were left on desks, in desks, conference rooms, or other unlocked open areas. The BM will also report to the local branch ISO of any non-compliance in regards to file security, data misuse, or potential misuse. The other side of the BM job is on the financial side, so this paper will spend no time on this. The local ISO will be responsible for providing all reports described above to the SISO and attending all required security meetings with the SISO. The ISO will also manage that

Wilde branches website for its security and also maintain the server where the employees work stations connect. The ISO will be responsible for the operating system at each workstation is operational and security measures are working properly, such as user access and privileges.

Local branch ISOs will ensure that all staff at overseen locations are trained on security policies and work with UR to ensure that one job ability is not interrupted beyond a reasonable amount that will not sacrifice needed security. The local ISO will also provide audit reports, penetration testing results, password strength results, and other audit trails as needed to the SISO. UR are to be available to loan officer staff for complaints of ease of use, or disruption of services and report such items to the area ISO. Once fixed provide feedback of how the solution progressed, failed, or if the problem solved. Controls SISO will have full privileges to all locations websites, servers, and data storage. The SISO will have full administrative privileges with the exemption of changing the master password (that belongs to the CISO) and changing any controls enforced by the CISO. The Local ISO will have a restrictive control only to the locations server, website, users work stations, and network that one covers. Users will only have access to ones computer workstation, and printer password. Each user will only have access to the files one originated in the system through access controls. Some more examples of controls for the users to have are strong passwords, restricted access, limited account privileges, no access to servers, network, others work stations. Each workstation should have a three minute time to prompt for password again if no activity at terminal, restricted internet access, email for business use only policy, anti-keystroking capturing software in each terminal, file transfer to server intranet only, firewalls between application server, webserver, and network to be applied with open ports

Wilde closed. Electronic data storage for archived data file need to be encrypted with Hybrid

Cryptographic Optimizer (HCO) technology with Advanced Encryption Standard (AES) 128-bit and 256-bit encryption from PGP now called Symantec (Symantec, 2011). When the time line is up for maintaining the archive has been achieved using software to wipe old data from the hard drive with a DoD 5220-22.M standard (About.com, 2001). Justification A) If one financial information was compromised one identity could be obtained. The loan file has DOB, SSN, account numbers, copies of one signature, credit report, work history, residential history, in some cases school history. The cost for repairing this could be in the hundreds of thousands of dollars. That is just in the repair, not counting law suit damage awards and other punitive damages from the court system. So having a security team to prevent this is well worth it. In the case of multiple file loss could be so costly one would have to be shut down and possibly imprisoned. B) Due to the fact that cables get bumbed, items break down, employee not following policies, software not always working properly, employees changing settings, printer failures, password resets, and a variety of issue that happen in an office it would seem that it would be beneficial to have a ISO available. The ISO would be able to reset passwords, reconfigure systems to work with security protocols, reestablish networks with appropriate security in place assists in keeping data secure and free from being compromised. Having one ISO per area seems to be appropriate.

Wilde C) To manage the area ISOs one should have a higher educated security expert to

oversee operations. Having one SISO given the business seems appropriate. Without this manager the upper management of the mortgage company will not have time to perform it business thus becoming less profitable and careless of the file will follow allow one to fail an audit. D) Having one Chief Information Security officer is important as this person would have more experience in the business aspect and be able to work with the data owner in a way that could be received. The CISO would also be able to spend time driving the security vision, oversee system audits, respond to urgent scenarios, ensure the SSAA document and ATO was current for the data owner allows the rest of the team to spend time performing not in the administration of the job. E) Having the BM double as a physical security specialist saves the budget on the security team and the local ISO would be able to do this as well. The UR is also

incorporated into the loan officer staff , as they are the ones using the system and most affected by it. The senior loan officer of each office would represent the office to the ISO saving more on the budget for an ISO spending time testing and using the system for long lengths of time ensuring proficiency. Summery This paper has outlined roles and responsibilities for this ABC Mortgage company in regards to information security. This paper started out with a description of the fictional company and created roles from the Chief Information Security Officer down to the user. This paper also separated duties for each position for one to use as a guide. Time spent on what kinds

Wilde of controls were going to be used in protecting the system. In closing, this paper discussed rationalization concepts to support why each position was needed and should be implemented.

References

Fisher, T. (2011). DoD 5220.22-M. In www.about.com. Retrieved June 17, 2011, from http://pcsupport.about.com/od/termsd/g/dod-5220-22-M.htm

PGP Whole Disk Encryption. (2011). In ww.symantec.com. Retrieved June 17, 2011, from www.symantec.com/content/en/us/enterprise/fact_sheets/bpgp_whole_disk_encryption_DS_21064414.en-us.pdf

Wilde

10