IT-549 · Foundation in Information Assurance · Graduate
Information Assurance Plan
This graduate-level final project delivers a comprehensive information assurance plan for an organization with identified gaps across the CIA triad. Grounded in NIST SP 800-30, 800-53, 800-61, and 800-34, it covers risk assessment, defined roles and responsibilities, incident and disaster response policies, access control standards, and a structured plan maintenance framework.
Current state assessment
An assessment of the organization's information environment identified varying levels of effectiveness across confidentiality, integrity, and availability controls. The most critical gaps were:
- Inconsistent MFA enforcement and infrequent access reviews creating unauthorized access risk
- Patch management delayed by operational constraints, leaving systems exposed to known vulnerabilities
- Decentralized logging with no SIEM, limiting visibility into security events and threat detection
- Incident response and disaster recovery plans that exist on paper but are not regularly tested
- Security awareness training that does not adequately address phishing or credential theft
Roles and responsibilities
Executive leadership
Approves security policies, allocates resources, ensures regulatory compliance, and sets the organizational security culture.
CIO / CISO
Translates executive direction into technical and administrative controls. Oversees patch management, access control, monitoring, and incident response programs.
System administrators
Configure systems securely, apply patches, manage user accounts, monitor logs, and respond to security alerts on a day-to-day basis.
All employees
Adhere to security policies, protect credentials, complete security awareness training, and report suspicious activity through defined escalation paths.
Risk matrix
| Threat / Vulnerability | Likelihood | Impact | Risk | Mitigation |
|---|---|---|---|---|
| Unpatched vulnerabilities (e.g., Exchange CVE-2021-26855) | High | High | High | Timely patching, vulnerability scanning, system hardening |
| Ransomware attacks | High | High | High | Offline and immutable backups, MFA, endpoint protection, tested IR plans |
| Credential compromise via phishing | High | Medium | High | MFA enforcement, security awareness training, email filtering |
| Insider misuse or excessive privileges | Medium | Medium | Medium | Least privilege enforcement, quarterly access reviews, activity monitoring |
| Misconfigured systems or controls | Medium | Medium | Medium | Configuration baselines, audits, automated configuration management |
| Denial-of-service or availability disruptions | Low | High | Medium | Redundancy, network monitoring, disaster recovery planning |
| Data integrity loss from unauthorized changes | Low | Medium | Low | Integrity monitoring, logging, change management procedures |
Policy statements
Incident response policy
All employees must report suspected security events immediately to the designated incident response team. The policy defines procedures for identification, containment, eradication, and recovery — with clearly assigned roles for escalation, communication, and documentation throughout the incident lifecycle. Aligned with NIST SP 800-61, structured procedures reduce attacker dwell time and minimize operational impact.
Disaster response policy
Regular data backups, secure off-site backup storage, and prioritized recovery of critical systems are required. Recovery time and recovery point objectives are defined per system. Disaster recovery roles and communication protocols ensure coordinated response. NIST SP 800-34 compliance requires routine testing — not just documentation — of all recovery procedures.
Access control policy
Access is granted based on job function using role-based access control and least privilege. MFA is required for administrative accounts, remote access services, and systems containing sensitive data. Access rights are reviewed at least quarterly and adjusted immediately upon role change or separation. Balances strong protection with usability to avoid control bypass through workarounds.
Plan maintenance policy
The information assurance plan is a living document, reviewed annually and following any significant incident, technology change, or regulatory update. Security awareness training is conducted on a recurring schedule. Regular risk assessments, audits, and incident response exercises validate that controls remain effective as the threat landscape evolves.
Implementation barriers and mitigations
- Operational constraints on patching: Schedule maintenance windows during low-impact periods; prioritize by CVSS severity
- Resistance to MFA adoption: Lead with executive-mandated rollout; demonstrate phishing risk with tabletop exercises
- Budget and staffing limits: Prioritize controls by risk level; leverage open-source SIEM tooling to extend coverage without significant cost
- Untested response plans: Run tabletop and functional exercises quarterly; document lessons learned and revise procedures after each