1

Integrated Cybersecurity Plan

[Insert name here]

Course Number: Course Name

School

Professor Name

Date
 2

Security Awareness and Training Program

The security awareness and training program will heighten the security awareness within the

organization by appreciating the information assets, and tailoring the program as per the

organization needs.

Background

After the cybersecurity attack on the organization, the recovery process will be facilitated by

an awareness and training program aimed at enhancing the resilience and capability of the

systems to prevent future attacks.

Regulatory/policy considerations and constraints

The regulations and policies that govern cybersecurity will be understood to allow the

organization to safeguard its assets and information from possible cyber-attacks (Wilson &

Hash, 2003). It is imperative to understand the regulations described by different agencies such

as:

i. SEC Regulation, S-P that describes the privacy of financial information of consumers

and also safeguards the personal identification information

ii. Gramm-Leach-Bliley Act- a privacy and information security regulation

iii. Federal Trade Commission (FTC) Act- Information security and privacy regulation that

requires relevant cybersecurity measures

iv. COPPA Act- cybersecurity and privacy regulation

v. Electronic Communication Privacy Act (ECPA) and Stored Communication Act (SCA)

that provides privacy regulation to electronic information

vi. FPA Privacy Act regulates the use of information from the federal government systems

vii. Consumer Privacy Protection Act that ensures security and protection of sensitive
 3

personal identification information

Objectives: To educate users on their obligation to embrace the best practices of cyber

security and also protect the confidentiality, integrity and availability of organizational

information.

Roles and Responsibilities:

The efficiency of teams will be achieved through understanding individual roles and

responsibilities. It is important to understand who is responsible for the development, design,

and implementation of the awareness and training program. Some of the critical roles and

responsibilities for the awareness and training program will be:

Program Head: Ensure implementation of the program

Chief Information Officer (CIO): Establish overall program strategy

Ensure all teams members understand concepts of the

program

Cybersecurity Program Manager: Ensure training and awareness materials are developed in

an appropriate and timely manner

Managers: Ensure appropriate training is provided to all users

Users: Understand and comply with all the regulations while

applying their training

Program Model:

Centralized policy, distributed strategy, and implementation- The model is decentralized where

the central authority only communicates the overarching program policy and expectations,

while the organization units are responsible for creating implementing, and managing the

awareness and training program.

 4

Needs Assessment:

A needs assessment is vital in understanding the security needs of the organization. The

baseline needs assessment will focus on particular areas that will be addressed throughout the

awareness and training program and allow the organization to determine principal metrics that

can be useful in measuring the performance of the program. Needs assessment will be

achieved through data collection from various sources such as:

i. Interviewing organizational groups

ii. Reviewing security plans

iii. Analyzing security events and incidences that happened within the organization

iv. Reviewing the infrastructure changes, and

v. Studying the current security trends (Wilson & Hash, 2003)

Program strategy:

Providing awareness on the cyber security best practices including, keeping hardware and

software updated, using anti-malware and anti-virus in systems, avoiding suspicious emails

and links, using VPN to privatize user connections and utilizing secure solution for file

sharing, that will improve the recovery of resilience and restoration of capabilities of the

system after the cyberattack.

Awareness

Audience: Management and all employees

Activities and target dates/ Schedule:

i. Determine Regulatory/policy considerations week 1

ii. Determine roles and responsibilities week 2

iii. Determine program model week 3

 5

iv. Perform need assessment week 4, 5, 6, 7

v. Develop program strategy week 8

vi. Develop program plan week 9,10,11,12

vii. Determine metrics week 13,14.15

viii. Develop materials for program week 16,17,18

ix. Communicate program week 19,20

x. Conduct post-implementation activities week 21,22,23,24

Review and updating of materials and methods:

Understanding the audience and the topics that will resonate with the group is imperative.

Factors to consider when developing materials for the program include demographics such as

age, technical skills, and education. This ensures that the materials provide messages that are

realistic, relatable, and memorable in a modest, direct, and engaging manner. At this stage, the

delivery methods should also be identified.

Training

Learning objectives:

To understand the importance of cyber security best practices that will improve the recovery of

resilience and restoration of capabilities of the system after the cyberattack.

Focus areas:

Focus areas will cover the importance of embracing cybersecurity best practices including:

i. Keeping hardware and software updated

ii. Using anti-malware and anti-virus in systems

iii. Avoiding suspicious emails and links

iv. Using VPN to privatize user connections

 6

v. Utilizing secure solution for file sharing

Methods of delivery:

instructor-led delivery, video-based, online

Schedule:

4-6 months as per the activities schedule

Evaluation criteria:

Assessment at the end of the training and certification

Post-implementation activities:

Allow the awareness and training program to remain relevant. Some of the activities include:

i. Remaining current with technological advancements, IT infrastructure, organizational

changes, and policy changes,

ii. adapting to the changing cybersecurity and threat environment.

Resource requirements:

i. Staff

ii. Facilities

iii. Contracting support

iv. Media- computers, server, internet

Identity and Access Management Plan (IAM Plan)

 7

Objective: This plan seeks to ensure that the right people have the right access to the right

resources at the right time. The identity and access management plan will allow the organization

to improve its data security, reduce its security costs, implement the least privilege principle, and

improve its corporate IT governance (Pöhn et al., 2021).

The IAM plan will integrate three pillars including:

i. Identification- the employees will use identity such as a username to access any system

within the organization

ii. Authentication- the system will then verify the user’s identity through an authentication

process such as using a password (Amiruddin et al., 2021).

iii. Authorization- the system will allow the authenticated user to perform only the tasks

that are allowed based on the defined tasks and security policies.

The identity and access management plan will use the below controls:

i. A single sign-on control- the users will use one sign-in to access various networks

ii. Multifactor authentication- the users will enter their passwords and another

identification form such as badge scanning or fingerprint scanning.

iii. Profile management- all the user profiles will be managed from a central place and

regularly remind users to update their information.

iv. Password management- users will be required to regularly change their passwords and

ensure their strengths are efficient.

The identity and access management architecture will incorporate the below principles:

 Account for both private and public identifiers for customers and employees

 Keep the PII separate from the systems’ data

 Keep the access controls external to the system

 8

 Assign the trust levels to the components of the network

 Ensure separation of onboarding and self-boarding

 Utilize pseudonyms during attribute sharing

 Keep privileged accounts separate

 Ensure data encryption

 Practice identification and fixing of risks

Security Assessment and Testing Strategic Plan

 9

Objectives: Evaluate and test the cybersecurity effectiveness of the software

Define the security threats

Validate effectiveness of security controls

Guarantee efficient and effective operation of the application

Target audience: management, software assessment and testing team, clients, software

employees

Roles and responsibilities:

Team lead: Setting up assessment and testing processes

Creating, approving and tracking plans for assessment and testing

Designers: Creating, assessing and testing security models

Engineers: assessing and testing cases, authoring defects, analyzing outcomes of assessment

and testing, and creating reports

Review standards and policies:

All the relevant standards and policies are in place.

i. The NIST SP 800-115 provides a guide of security testing and assessment

ii. ISSAF- Information Systems Security Assessment Framework

iii. OSSTMM -The Open-Source Security Testing Methodology Manual

iv. PTES- Penetration Testing Execution Standard

Security Requirement Analysis:

The engineer evaluates and tests the security properties to be investigated during the process,

including:

User management, authentication, data confidentiality, integrity, authorization, accountability,

privacy, transport security, session management, and tiered system segregation

 10

Methodology:

i. Prioritization of the assessment by determining the systems that should be evaluated and

the duration of the assessment. This is based on the expected benefits, categorization of

the system, applicable regulations, and scheduling requirements

ii. Dependency testing: testing third party models to determine vulnerabilities in

applications, file system, registry or modules.

iii. Client-side testing: testing via interface by entering incorrect input sequences such as

input values, cross site scripting, escape characters, error handling and long strings

iv. Design testing: checking for open and unsecure ports, debug code that may be linked to

implementation codes, insecure default accounts and values

v. Implementation testing: testing for unintentional or intentional revealing of data by

application designers

vi. Reviewing architecture and design to identify flaws that may arise from insecure

functioning of the application

vii. Reviewing UML models to understand the application module

viii. Creating and reviewing the threat tree to break down threats in testable tasks to allow

easy processing

ix. Static analysis is a white-box approach used to determine all the errors and

inconsistencies that have not been identified in the above black-box approaches. It tests

the application through code review, and source code analysis

x. Dynamic testing such as penetration testing to check for further vulnerabilities through

binary analysis tools, web application scanners, and proxy tools. Penetration testing will

identify threats related to:

 11

 cookies poisoning

 cross site scripting

 server misconfiguration,

 platform threats

 SQL injection

 Command injection,

 Form manipulation

 Weak session management

 Buffer overflows.

xi. Configuration management testing: checked against errors in the application

configuration, hardware, database or the environment, that may lead to security threats in

the software.

Test outcomes: sent to all interested parties. Test outcomes and results will contain:

i. Vulnerabilities found in the application

ii. All the features assessed and tested

iii. All the executed tests

iv. All the defined risks

v. Conclusion and recommendation

Software Development Security Plan

 12

The organization will utilize the secure Software Development Lifecycle (SDLC) to

develop its security applications. The process incorporates several best practices that enable an

organization to attain its software development goals (White & Sjelin, 2022).

Phase 1: Entails gathering requirements, prioritizing, and analyzing them. The software

development team will prepare a software risk profile that describes the potential attacker entry

points and categorize the risks by levels. The risk profile will then be consolidated with security

and privacy policies, regulatory requirements, and standards to determine the need for future

software based on the six security best practices including, confidentiality, integrity, availability,

authentication, authorization, and accountability (Souppaya et al., 2021).

Phase 2: Entails designing the software by threat modeling, ensuring a secure design, and

planning the security features. The team will decompose the planned software topology into

functional components and determine threats for each part. They will also prioritize and

categorize threats as well as countermeasures or controls for the threats. A sure software design

will be executed through partitioning and security features introduced on the application.

Phase 3: Entails the development of software through secure coding activities, static

analysis, and frequent peer review. The team will use a secure coding practice to ensure minimal

risks, perform frequent tests, conduct peer reviews that are language and checklist-based,

perform an automated code analysis (Souppaya et al., 2021).

Phase 4: Entails deployment and support of the software through penetration testing,

security review, and incident response plan. The penetration testing will allow for fixing the

identified issues and verifying the security risks.

Risk Analysis and Mitigation Recommendations

 13

During software development, risk analysis will be achieved by:

 Defining the security requirements for the software development process

 Ensuring that all the team members are implementing their roles and responsibilities

 Implementing a supportive toolchain to enhance consistency and accuracy through

automation (Dodson et al., 2020).

 Defining the criteria for software security processes and mechanisms

The recommended mitigations for security risks include:

 Protecting all the used codes from unauthorized access

 Ensuring verification of the software’s integrity before release

 Archiving and protecting the software release

 Designing software that meets the stated requirements and eradicates the potential

security risks

 Reviewing the software design to ensure its compliance with risk information and

requirements (Dodson et al., 2020)

 Verifying that the third-party software is compliant with the security requirements

 Ensuring that the source code adheres to the secure coding practices.
 14

References

Aleksandrova, S. V., Aleksandrov, M. N., & Vasiliev, V. A. (2018, September). Business

continuity management system. In 2018 IEEE International Conference" Quality

Management, Transport and Information Security, Information

Technologies"(IT&QM&IS) (pp. 14-17). IEEE.

Amiruddin, A., Afiansyah, H. G., & Nugroho, H. A. (2021, October). Cyber-Risk Management

Planning Using NIST CSF v1. 1, NIST SP 800-53 Rev. 5, and CIS Controls v8. In 2021

International Conference on Informatics, Multimedia, Cyber and Information System

(ICIMCIS (pp. 19-24). IEEE.

Beattie, J., & Shandrowski, M. (2020). Cyber-compromised data recovery: The more likely

disaster recovery use case. Journal of business continuity & emergency planning, 15(2),

114-126.

Chattopadhyay, A., Azhar, M. Q., Everson, T., & Ruska Jr, R. (2020, October). Integrated

Cybersecurity Plus Robotics Lesson Using NAO. In Proceedings of the 21st Annual

Conference on Information Technology Education (pp. 397-402).

Dodson, D., Souppaya, M., & Scarfone, K. (2020). Mitigating the risk of software vulnerabilities

by adopting a secure software development framework (ssdf). National Institute of

Standards and Technology. https://doi. org/10.6028/NIST. CSWP, 4232020.

Love, P. E., & Matthews, J. (2019). The ‘how’of benefits management for digital technology:

From engineering to asset management. Automation in Construction, 107, 102930.

Pöhn, D., Seeber, S., Hanauer, T., Ziegler, J. A., & Schmitz, D. (2021, August). Towards

Improving Identity and Access Management with the IdMSecMan Process Framework.

In The 16th International Conference on Availability, Reliability and Security (pp. 1-10).
 15

Reid, M. B. (2021). Business Continuity Plan. In Encyclopedia of Security and Emergency

Management (pp. 52-57). Cham: Springer International Publishing.

Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical guide to information

security testing and assessment. NIST Special Publication, 800(115), 2-25.

Souppaya, M., Scarfone, K., & Dodson, D. (2021). Secure Software Development Framework

(SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software

Vulnerabilities (No. NIST Special Publication (SP) 800-218 (Draft)). National Institute of

Standards and Technology.

T., Plėta, T., Agafonov, K., & Damkus, M. (2019). Cyber security management model for critical

infrastructure.

White, G. B., & Sjelin, N. (2022). The NIST Cybersecurity Framework. In Research Anthology

on Business Aspects of Cybersecurity (pp. 39-55). IGI Global.

Wilson, M., & Hash, J. (2003). Building an information technology security awareness and

training program. NIST Special publication, 800(50), 1-39.