CSOL 540 Assignment 7: Implementation, Enforcement and Compliance Marc Leeka

Objective

A plan to implement, enforce and build broad organization compliance for the policies included within.

Goal

The implementation process will initially yield:

a current and accurate records of all device assets that have been standardized to a secure baseline
configuration;
consensus on a measureable target goal and responsibilities of each party involved with the
implementation;
organization-wide education for security awareness and how to best protect the organizations
information assets;
a measureable gauge of security process effectiveness; and
a manageable process to improve information security and awareness in the future.

Ultimately these improvements will effectively protect and reduce risk to the organizations information
assets. Upon implementation, Sample Corp can confidently:
ensure the security and confidentiality of our employees and customers information;
protect against anticipated threats or hazards to the security or integrity of our employees and
customers information;
protect against unauthorized access to or use of employee or customer information that could result in
substantial harm or inconvenience to either, deviation from Sample Corps mission and subsequent
harm to Sample Corps reputation; and
ensure the organization is compliant with all applicable laws and regulations that protect employee
and customer information.

Action Plan

Implementing the policies entails these major steps:

building consensus on intent;
definition of roles and assignment of responsibilities;
inventory of devices and security configuration documentation;
formation of a Policy Maintenance and Change Control Board;
review, revision and consensus for the security policies within;
organization-wide distribution of the documents;
build awareness, agree on mandated training and begin formal training;
updated collection of security policy compliance data; and
review of any deviation from compliance with security policies.

Action Steps: Building consensus

The implementation begins with the informal agreement to this plans objective and goals from the
organization leaders and executive managers, and then a formal agreement to proceed is obtained from
the senior-most organization executives. Although the agreement states the objectives of the security
policies and benefits to Sample Corp, senior-most executives should be advised as to the resources and
commitment required of each department and any potential disruption of operations. They should be

1
 CSOL 540 Assignment 7: Implementation, Enforcement and Compliance Marc Leeka

advised that baseline metrics will be collected prior to the implementation of security policies and
continuously thereafter to measure the effectiveness of the plan.

Next, teams will be drawn to represent the many role shareholders for the plan. Meeting times, places and
methods of communications will be established. The draft policies within will be distributed to
appropriate shareholders for discussion, revision and improvement.

Action Steps: Definition of roles and assignment of responsibilities

This is a recommendation of definitions of responsibilities throughout the adaptation of this action plan:

Chief Executive Officer. The CEO will ensure that high priority is given to effective security awareness
for the workforce. This includes implementation of a viable information security program with a strong
awareness and training component. The CEO will:
designate a Chief Information Officer;
assign responsibility for IT security;
ensure that an agency wide IT security program is implemented, is well-supported by resources and
budget, and is effective; and
ensure that the agency has enough sufficiently trained personnel to protect its IT resources.

Chief Information Security Officer. The CIO is responsible for the overall, management, implementation,
and enforcement of the IT security program. The CIO will work with the Chief Information Security
Officer to:
establish overall strategy for the IT security awareness and training program;
ensure that the CEO, senior managers, system and data owners, and others understand the concepts
and strategy of the security awareness and training program, and are informed of the progress of the
programs implementation;
ensure that the organizations information security awareness and training program is funded;
ensure that all users are sufficiently trained in their security responsibilities;
ensure the supplemental training of employees with significant security responsibilities; and
ensure that effective tracking and reporting mechanisms are in place.

Chief Information Security Officer. The CISO is responsible for administrative and operational aspects of
security for the information system, including creation and maintenance of all security documentation,
ensuring that systems are hardened and patched, monitoring system security controls, handling incidents,
etc. The CISO has tactical-level responsibility for the awareness and training program. In this role, the
CISO will:
ensure that awareness and training material developed is appropriate and timely for the intended
audiences;
ensure that awareness and training material is effectively deployed to reach the intended audience;
ensure that users and managers have an effective way to provide feedback on the awareness and
training material and its presentation;
ensure that awareness and training material is reviewed periodically and updated when necessary; and
assist in establishing a tracking and reporting strategy.

Front-line Managers and Supervisors have responsibility for complying with IT security awareness and
training requirements established for their users. They will:
work with the CIO and the CISO to meet shared responsibilities;
Serve in the role of system owner and/or data owner, where applicable;

2
 CSOL 540 Assignment 7: Implementation, Enforcement and Compliance Marc Leeka

develop individual plans for users in roles with significant security responsibilities;
ensure that all users (including business partners) of their systems (i.e., general support systems and
major applications) are appropriately trained in how to fulfill their security responsibilities before
allowing them access;
answer questions and ensure that users (including business partners) understand specific rules of each
system and application they use;
gather metrics on the policy effectiveness; and
work to reduce errors and omissions by users due to lack of awareness and/or training.

Users include employees, business partners, contractors, and other collaborators or associates requiring
legitimate access to Sample Corp computing systems or information assets. Users must:
understand and comply with Sample Corp security policies and procedures;
be appropriately trained in the rules of behavior for the systems and applications to which they have
access;
work with management to meet training needs;
be aware of actions they can take to better protect their organizations information. These actions
include, but are not limited to: proper password usage, data backup, proper antivirus protection,
reporting any suspected incidents or violations of security policy, and following rules established to
avoid social engineering attacks and rules to deter the spread of spam or viruses and worms.

The Human Resources Department will:

implement, maintain, and provide on-going information technology Security Awareness Training
using various training delivery techniques in awareness sessions, use email distribution for security
awareness communications, and publish a security web site to promote and reinforce good security
practices, Sample Corp policies and procedures, and employee responsibilities;
establish accountability and monitor compliance by implementing an automated tracking system to
capture key information regarding program activity (i.e. courses, certificates, attendance, etc.); and
implement a formal evaluation and feedback mechanism to address quality, scope, deployment
method (e.g., web-based, onsite, offsite), level of difficulty, ease of use, duration of session,
relevancy, currency, and suggestions for modification.

The Information Technology Department will:

implement the security policies as directed. Technical implementation will adhere to standards and
guidelines established by manufacturers, vendors, previous Sample Corp experience and industry best
practices;
collect inventory and current state information on a continuous basis;
report deviations from information security policies within to the CISO.

Action Steps: Inventory of devices and security configuration documentation

The Information Technology department will collect and assemble an infrastructure inventory using
discovery and inventory tools. A current inventory is key to implementation in a highly distributed
infrastructure: the organization must have an accurate count of how many devices are on the network and
it must accurately determine which devices adhere to current security policies. Accurate inventory count
and configuration information allows the organization to assess the population of network devices and
compare compliance with security policies. Other benefits from the inventory and assessment include
identification of outdated technology and immediate discovery of inconsistent configurations and/or
deployment. Standardization ultimately simplifies implementation and reduces operational costs.

3
 CSOL 540 Assignment 7: Implementation, Enforcement and Compliance Marc Leeka

The inventory and device status current state will be contrasted to the desired or targeted state. It is
important to get consensus within the implementation teams on the target state before establishing the
policy in terms of goals and objectives.

Action Steps: Formation of a Policy Maintenance and Change Control Board

This is an additional role that is assigned these responsibilities:

maintains a current policy and standards library and manages its availability;
establishes a change management process for policies and standards;
assesses policies and standards and makes recommendations for change;
coordinates other requests for change;
ensures that changes to existing policies and standards support the organizations missions and goals;
with the concurrence of the legal department or human resources, revises policies to comply with new
and revised laws and regulations that govern the organizations activities and personnel;
reviews requested changes to the policy framework; and
makes recommendations to the CISO for the approval of security policies.

Action Steps: Review, revision and consensus for the security policies within

The implementation teams will make changes and improvements to the draft policies within, then submit
to the Policy Maintenance and Change Control Board with the teams recommendation for approval by
the CISO.

Action Steps: Organization-wide distribution of the documents

Upon formal approval by the CISO, policies will be distributed and made available to all employees and
business partners by the Policy Maintenance and Change Control Board with assistance of the Human
Resources department.

Action Steps: Build awareness, agree on mandated training and begin formal training

This is a recommendation of a mandated training policy for security awareness:

All Employees, Business Partners and Contractors who use Sample Corp information systems are
required to:
complete an annual Security Awareness Training course every twelve (12) months. All newly hired
employees are required to complete the Security Awareness Training course within the first 30 days
from date of hire or prior to receiving access to the Sample Corp information systems and data; and
sign an "Acceptable Use Policy and User Acknowledgement Agreement" which acknowledges that
they are fully aware of security best practices and their roles in protecting the Sample Corp's
information technology systems and data. Access to Sample Corp computer technology will not be
granted without this agreement.

Supervisors, Managers and Directors are required to:

Ensure each employee under his/her supervision has attended and completed the Security Awareness
Training and should include the training as a part of the employee's annual performance evaluation;
and

4
 CSOL 540 Assignment 7: Implementation, Enforcement and Compliance Marc Leeka

Maintain a copy of each employee's Security Awareness Training certificate in the department's
personnel file and forward a copy of the employee's certificate to the Human Resource Department
for the employee's personnel file.

Action Steps: Updated collection of security policy compliance data

A baseline is created based on the security policy. Where possible, standardized images will be used to
ensure systems are deployed in a secure state. This practice speeds deployment, increases availability and
reduces costs.

The Information Technology department will:

utilize automated systems and random audits to collect current state information;
provide summary reporting to the CISO of personnel that have not complied with security policies,
and devices that do not comply with security policies; and
immediately reconfigure failed devices to meet security policies.

Devices that cannot be reconfigured to meet security policies will be removed from the Sample Corp
network until a determination is made by the CISO.

Action Steps: Review of any deviation from compliance with security policies

The CISO will review all device noncompliance with security policies. The CISO will make
recommendations to the Information Technology department for any device that is determined to not meet
security policies. The CISO is responsible for approval of any deviation from security policies and must
notify the CIO of any exceptions.

The CISO will review all employee and business partner noncompliance with security policies. When
notified of any noncompliance, the CISO will make an enforcement recommendation to the Human
Resources department and to the appropriate supervisor/manager, and must notify the CIO of that
recommendation.

The CISO will review monthly Quality Control reviews and compliance assessments, and submit
summaries to the CIO for the first year of project implementation; and quarterly thereafter.