Prime Time Security

Antony Kungu

Cyber Security Management

CSOL 550

Instructor: Prof Brian Russell

_______________________

Information System Security Plan

Produced by
Prime Time Security
July 9, 2018
 Document Change History

Version Number Date Author(s) Description

2018.1.1 07/09/2018 Tony Kungu Initial Draft

CONFIDENTIAL: Internal Use Only Page 2

Company Summary
Prime Time Security and acquired entities is a collection of companies that provide cyber
security services to clients across the board. Prime Time Cyber Security Services can help
organizations apply appropriate information security measures by providing ongoing
confidentiality, integrity, availability, and protection of their most sensitive data assets.
Prime Time Security services and its affiliated companies are required to identify each
information system that contains, processes, and transmits client data and information
and to prepare and implement a plan for the security and privacy of these systems. The
objective of information system security planning is to improve protection of information
technology (IT) resources. All Prime-Time Security systems have some level of
sensitivity and require protection as part of best management practices. The protection of
a system must be documented in a system security plan.

The security plan is viewed as documentation of the structured process of planning

adequate, cost-effective security protection for a system. It reflects input from
management responsible for the system, including information owners, the system
operator, the system security manager, and system administrators. The system security
plan delineates responsibilities and expected behavior of all individuals who access the
system.

The purpose of this security plan is to provide an overview of the security of the payroll
system and will describe the controls and critical elements in place or planned for, based
on NIST Special Publication (SP) 800-53 Rev. 3, Recommended Security Controls for
Federal Information Systems. Each applicable security control has been identified as
either in place or planned. This ISSP follows guidance contained in NIST Special
Publication (SP) 800-18 Rev. 1, Guide for Developing Security Plans for Federal
Information Systems, February 2006.

This Information System Security Plan (ISSP) provides an overview of the security
requirements for the Payroll system and describes the controls in place or planned for
implementation to provide a level of security appropriate for the information processed as
of the date indicated in the approval page.

Note: This ISSP is a living document that will be updated periodically to incorporate new
and/or modified security controls. The plan will be revised as the changes occur to the
system, the data or the technical environment in which the system operates.

CONFIDENTIAL: Internal Use Only Page 3

Management
Planning Management

1. Information System Name/Title:

1 • Unique identifier and name given to the system.
2
System Name Payroll System
3
2. Information System Categorization:

The following table shows the information that will/is being processed by the payroll
system according to FIPS 199 categorization.

Confidentiality Integrity Availability

(HIGH/MOD/LOW) (HIGH/MOD/LOW) (HIGH/MOD/LOW)
Benefits HIGH HIGH HIGH
Name/s HIGH HIGH HIGH
Banking HIGH HIGH HIGH
Address HIGH HIGH HIGH
Phone number HIGH MEDIUM HIGH
Salary HIGH HIGH HIGH

The table below shows the highest level of information processed by the Payroll
system

LOW MEDIUM HIGH

Confidentiality HIGH
Integrity HIGH
Availability HIGH

Overall system LOW / MODERATE / HIGH

categorization

FIPS 199 Guide for Developing Information Security Plans for Federal
Information Systems POTENTIAL IMPACT

Security LOW MODERATE HIGH

Objective

CONFIDENTIAL: Internal Use Only Page 4

 Confidentiality The unauthorized The unauthorized The unauthorized
Preserving authorized disclosure of disclosure of disclosure of
restrictions on information could be information could be information could be
information access and expected to have a expected to have a expected to have a
disclosure, including limited adverse effect serious adverse effect severe or
means for protecting on organizational on organizational catastrophic adverse
personal privacy and operations, operations, effect on Prime Time
proprietary organizational assets, organizational assets, Security Services
information. or individuals. or individuals. operations,
[44 U.S.C., SEC. 3542] organizational assets,
or individuals.

Integrity The unauthorized The unauthorized The unauthorized

Guarding against modification or modification or modification or
improper information destruction of destruction of destruction of
modification or information could be information could be information could be
destruction, and expected to have a expected to have a expected to have a
includes ensuring limited adverse effect serious adverse effect severe or
information non- on organizational on organizational catastrophic adverse
repudiation and operations, operations, effect on Prime Time
authenticity. organizational assets, organizational assets, Security operations,
[44 U.S.C., SEC. 3542] or individuals. or individuals. organizational assets,
or individuals.

Availability The disruption of The disruption of The disruption of

Ensuring timely and access to or use of access to or use of access to or use of
reliable access to and information or an information or an information or an
use of information. information system information system information system
[44 U.S.C., SEC. 3542] could be expected to could be expected to could be expected to
have a limited adverse have a serious adverse have a severe or
effect on organizational effect on organizational catastrophic adverse
operations, operations, effect on Prime Time
organizational assets, organizational assets, Security operations, its
or individuals. or individuals. assets, or individuals.

Table 1: FIPS 199 Categorization

3. Information System Owner:

The information system owner is a Prime-Time Security official responsible for the
procurement, development, integration, modification, operation, maintenance, and
disposal of an information system. In coordination with the information system security
officer, the information system owner is responsible for the development and
maintenance of the security plan and ensures that the system is deployed and operated in
accordance with the agreed-upon security controls.

System Owner’s Name John Major

Title Director of Finance
Organization/Division Finance/Payroll Department
Address
Minneapolis MN
Email John_Major@Primetimesecurity.com

CONFIDENTIAL: Internal Use Only Page 5

 Phone #1 +1952-369-2638
Phone #2
Signature

Date 07/01/2018
1
4. Authorizing Official:
1
Authorizing Official’s Name Paul Wellstone
Title CIO
Organization/Division IT
Address Minneapolis, MN

Email Paul_wellstone@primetimesecurity.co
m
Phone #1 +1-52-369-2634
Phone #2
Signature

Date 07/01/2018

5. Chief Information Security Officer (CISO):

1
Name Kirkland Benson
Title CISO
Organization/Division Cyber Defense
Address Minneapolis, MN

Email Kirkland_benson@primetimesecurity.com
Phone #1 +1952-369-2458
Phone #2
Signature

Date 07/01/2018

6. Other Designated Contacts:

1 • List other key personnel, if applicable; include their title, address, email address,
and phone number.

CONFIDENTIAL: Internal Use Only Page 6

2
Key Personnel Key Personnel
Name Mani Kapul Danielle Johnson
Title System Administrator System Programmer
Organization IT IT
Address Minneapolis, MN
Minneapolis
Email Mani_kapul@primetimese Danielle_johnson@primeti
curity.com mesecurity.com
Phone #1 +1952-3694520 +1952-369-1579
Phone #2
3

7. Information System Operational Status:

The table below Indicates the operational status of the system.

Operationa Under Major Modification

l Development

8. Information System Type:

The table below Indicates if the system is a major application or a general support
system.

Major Application General Support System

9. General System Description/Purpose

The payroll system is used for balancing and reconciling payroll data and depositing and
reporting taxes. The payroll department takes care of wage deductions, record keeping
and verifying the reliability of pay data. A payroll system calculates the amount you owe
your employees based on factors such as the time they worked, their hourly wages or
salaries, and whether they took vacation or holiday time during the pay period. The
system adjusts gross pay by calculating and subtracting taxes and other withholding
amounts.

12. Related Laws/Regulations/Policies

The information processed by the payroll system is protected;

 Gram Leach Bliley Act (Financial information)

 PCI DSS (credit card data)

CONFIDENTIAL: Internal Use Only Page 7

  HIPAA (benefits and medical records)

13. Minimum Security Controls

The diagram below shows the minimum-security control baseline (low-, moderate-, high-
impact) from NIST SP 800-53.

Check Security requirement

One
This system requires LOW IMPACT security control set
This system requires MODERATE IMPACT security control set
X This system requires HIGH IMPACT security control set
This system requires MODERATE IMPACT with HIPAA/HITECH
security control set
2

14. Information System Security Plan Completion Date: 07/01/2018

15. Information System Security Plan Approval Date: 07/01/2018

Degree of care that an ordinary and reasonable person would normally exercise, over his
or her own property or under circumstances like those at issue. The concept of due care is
used as a test of liability for negligence

CONFIDENTIAL: Internal Use Only Page 8