Course Summary
A critical part of any organization’s cybersecurity approach is the Information Systems Security Plan (ISSP). An ISSP is a formal document that outlines the security requirements of an information system. It describes the security controls in place or planned for meeting those requirements. ISSP comprises system components that are in place, the environment in which the system operates, how the system requirements are met, and the relationships with or connections to other systems (NIST, n.d.).
Developing and implementing an ISSP is essential because it ultimately benefits an organization by helping prevent the exposure, loss, or corruption of data (AGIO, 2021).
Professionally any organization is obligated to develop its own ISSP for many reasons, including that they’re a necessary part of showing compliance with industry standards. Ethically it’s imperative to be transparent in the documentation of an ISSP, as this reflects upon the ability to meet security requirements.
Developing and implementing an ISSP is essential because it ultimately benefits an organization by helping prevent the exposure, loss, or corruption of data (AGIO, 2021).
Professionally any organization is obligated to develop its own ISSP for many reasons, including that they’re a necessary part of showing compliance with industry standards. Ethically it’s imperative to be transparent in the documentation of an ISSP, as this reflects upon the ability to meet security requirements.
Coursework Artifact
| request_for_proposal.pdf |
The request for proposal assignment is for a fictitious company called BioHuman. This document outlines the requirements of a cybersecurity awareness program and the criteria of qualifications for bids. I was prompted to select this artifact because of its real-life applicability. A request for a proposal must be as transparent as possible to set expectations right from the start.
Reflections
Management and Cybersecurity course, or CSOL 550, builds an excellent foundational knowledge of how management can effectively be applied to mitigate cybersecurity risks and achieve the organizational goal of preserving information. Topics covered through the course provide an overview of audit & compliance, an organization’s legal bindings regarding cybersecurity, developing secure business continuity and disaster recovery plans, and acquiring and procuring IT with security in mind (Coursicle, n.d.).
Professionally any cybersecurity leader is required to understand the metrics proven valuable in cybersecurity decision-making. These metrics focus on business driver categories, such as cost, risk, quality, Return on Investment (ROI), compliance, and safety. Each of these is discussed below (Touhill & Touhill, 2014).
Cost: cybersecurity professionals must remember that their company's primary mission is to earn profit. Ensuring the cybersecurity control selected is practical and adds value to the business is essential. Cost can be a vital driver for decision-making for staffing and outsourcing services. Observing performance measures and deciding whether the investment adds value to the business is crucial.
Risk: Cybersecurity performance measures must dictate insights into an organization's risks, their magnitude, and where they exist. Sometimes maintaining a zero-risk posture can be very costly. Hence, this driver can be a crucial tool to decide whether hiring a new staff or an outsourcing vendor is necessary or can the organization accepts the risk.
Quality: Cybersecurity metrics must measure the quality of controls and products to ensure effectiveness. It is crucial to evaluate whether a given team or staff delivers effective agendas to the organization or measure the effectiveness of cybersecurity training provided by an outsourced vendor.
ROI: Return on investment is a metric that measures cost-benefit analysis. Cybersecurity investments do not generate benefits. It is essential to measure investments in staff and vendors.
Compliance: as well as in any part of the organization, it is crucial for cybersecurity to ensure compliance with regulatory requirements through performance measures. It is critical to assess staff and vendors for their services and actions in compliance with regulations.
Measuring safety in cybersecurity controls is critical to ensure employee and public well-being. The safety of security controls must be measured to ensure an organization avoids potentially devastating incidents caused by a cyber incident. Staff could assess access control to prevent human error. In outsourced vendors, this could be measured by system performance.
Ethical cybersecurity professionals need to understand and implement ethical principles. Most technically appropriate solutions may not align with corresponding ethical principles. If not dealt with properly, some actions in the field of cybersecurity could have severe adverse effects on humans ( (Repetto et al., 2022).
Professionally any cybersecurity leader is required to understand the metrics proven valuable in cybersecurity decision-making. These metrics focus on business driver categories, such as cost, risk, quality, Return on Investment (ROI), compliance, and safety. Each of these is discussed below (Touhill & Touhill, 2014).
Cost: cybersecurity professionals must remember that their company's primary mission is to earn profit. Ensuring the cybersecurity control selected is practical and adds value to the business is essential. Cost can be a vital driver for decision-making for staffing and outsourcing services. Observing performance measures and deciding whether the investment adds value to the business is crucial.
Risk: Cybersecurity performance measures must dictate insights into an organization's risks, their magnitude, and where they exist. Sometimes maintaining a zero-risk posture can be very costly. Hence, this driver can be a crucial tool to decide whether hiring a new staff or an outsourcing vendor is necessary or can the organization accepts the risk.
Quality: Cybersecurity metrics must measure the quality of controls and products to ensure effectiveness. It is crucial to evaluate whether a given team or staff delivers effective agendas to the organization or measure the effectiveness of cybersecurity training provided by an outsourced vendor.
ROI: Return on investment is a metric that measures cost-benefit analysis. Cybersecurity investments do not generate benefits. It is essential to measure investments in staff and vendors.
Compliance: as well as in any part of the organization, it is crucial for cybersecurity to ensure compliance with regulatory requirements through performance measures. It is critical to assess staff and vendors for their services and actions in compliance with regulations.
Measuring safety in cybersecurity controls is critical to ensure employee and public well-being. The safety of security controls must be measured to ensure an organization avoids potentially devastating incidents caused by a cyber incident. Staff could assess access control to prevent human error. In outsourced vendors, this could be measured by system performance.
Ethical cybersecurity professionals need to understand and implement ethical principles. Most technically appropriate solutions may not align with corresponding ethical principles. If not dealt with properly, some actions in the field of cybersecurity could have severe adverse effects on humans ( (Repetto et al., 2022).
References
AGIO. (2021, September 28). How to Create an Information Security Plan. Agio. Retrieved March 20, 2023, from https://agio.com/how-to-create-an-information-security-plan/#gref
NIST. (n.d.). information system security plan - Glossary | CSRC. NIST Computer Security Resource Center. Retrieved March 20, 2023, from https://csrc.nist.gov/glossary/term/information_system_security_plan
Coursicle. (n.d.). CSOL 550 - Management and Cyber Security at the University of San Diego. Coursicle. Retrieved March 20, 2023, from https://www.coursicle.com/sandiego/courses/CSOL/550/
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives: A Practical Guide. Wiley.
Repetto, M., Duzha, A., & Kołodziej, J. (Eds.). (2022). Cybersecurity of Digital Service Chains: Challenges, Methodologies, and Tools. Springer International Publishing.
AGIO. (2021, September 28). How to Create an Information Security Plan. Agio. Retrieved March 20, 2023, from https://agio.com/how-to-create-an-information-security-plan/#gref
NIST. (n.d.). information system security plan - Glossary | CSRC. NIST Computer Security Resource Center. Retrieved March 20, 2023, from https://csrc.nist.gov/glossary/term/information_system_security_plan
Coursicle. (n.d.). CSOL 550 - Management and Cyber Security at the University of San Diego. Coursicle. Retrieved March 20, 2023, from https://www.coursicle.com/sandiego/courses/CSOL/550/
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives: A Practical Guide. Wiley.
Repetto, M., Duzha, A., & Kołodziej, J. (Eds.). (2022). Cybersecurity of Digital Service Chains: Challenges, Methodologies, and Tools. Springer International Publishing.