Welcome to CyberAdeptness LLC

Information Systems Security Officer (ISSO) Services

What is an ISSO?

An ISSO is someone who works closely with the organization's management, network team, and application team to ensure that the policies and procedures agreed upon by the executive management are applied correctly, working as intended, and enforced as part of the organization's Systems Development Life Cycle (SDLC).

What are the ISSO's responsibilities?

The ISSO is responsible for:
  1. Identifying the systems security requirements impacting the systems under their purview for all Open Systems Intercommunication (OSI) Layers found within the systems boundary.
  2. Coordinating with the Network and Application Teams as deemed necessary to ensure that organizational level policies and procedures are followed properly.
  3. Developing and Maintaining Up-To-Date all of the Systems Security Documentation required to meet compliance.
  4. Ensuring that the Systems Development Life Cycle (SDLC) incorporates the necessary security requirements from inception and through the life cycle of the system.
  5. Pre-Auditing the systems to ensure they are ready for a 3rd Party Risk Assessment as required by the standards.

What are the ISSO's Pre-Audit Requirements?

An ISSO must be able to perform a technical level assessment of the systems by leveraging a set of tools. The tools to be used are unique to each organization's environment(s) and technology. It is the ISSO's responsibility to identify the tools required and for the organization to provide access to the tools unless stated in the contract.

What is the ISSO's Document Output?

The Output from an ISSO, includes but is not limited to the following documents:
  1. FIPS 199 Security Categorization
  2. E-Authentication Assessment Report (E-Auth)
  3. Systems Security Plan (SSP)
  4. Contingency Plan (CP)
  5. Disaster Recovery Plan (DRP)
  6. Plan of Actions and Milestones (POA&M)
  7. Incident Recovery Plan (IRP)
  8. Monthly or Bi-weekly System Status Report

When is an ISSO required?

An ISSO is required when the organization is ready to implement the Security Program and/or has a program in place but does not have personnel knowledgeable with the development and/or maintenance of the documentation noted above. There's two types of ISSO's:
  1. Senior Level ISSO- The Senior Level ISSO is best suited for documenting the Enterprise Level Systems that have an impact on the management of other systems. The Senior ISSO is therefore responsible for developing the Enterprise Level Documentation by clearly delineating which controls are hybrid, technology specific or fully inherited.
  2. General ISSO- The Junior/Mid-career ISSO is best suited at the system level. They work closely with the Senior ISSO to ensure that the systems under their purview meet organizational level requirements to include requirements not covered in full by the Enterprise Level Management Systems and/or that are unique to the hosting environment.