Documente Academic
Documente Profesional
Documente Cultură
CSOL 530
The Gaming Company Inc. is a video game company that provides the digital distribution
of games that can be purchased by users as well as updates and digital content for these games.
Because the Gaming Company has so many users that rely on the content that is provided by the
company, it is important that the risk to the company is managed and the three elements of the
CIA Triad are properly maintained amongst all company assets. The system in the focus of this
discussion will be the cell phones which are assigned to employees who need them at the
company. The following paper will discuss how risk is assessed to the system, how it is
Today’s cell phones are not only a mobile phone, but they are a handheld computer as
well. Because they are both a mobile phone and a computer, our cell phones process and transmit
a lot of different types of information. A cell phone can contain information ranging from health
or location data to stored passwords and credit card information. Our company not only provides
work cell phones to employees, but we have a wireless network set up as well and allow the use
of personal devices. Mobile phones require more protection than other devices because “their
nature generally places them at higher exposure to threats than other client devices” (Souppaya
& Scarfone, 2013). They transmit information wirelessly and therefore do not require a physical
connection to steal information and they are also small and typically easy to lose or steal.
Because the company provides work cell phones which are constantly being used to transmit
work related information and we allow the use of personal devices, it is our responsibility to
ensure that security is being taken seriously when it comes to cell phones and the proper
In the Risk Management Framework, the three concepts used to categorize a system are
Confidentiality, Integrity, and Availability. Confidentiality revolves around the principle that
information should only be available to those that require it and should not be accessible to
everyone. It is the idea that information should be protected from those who do not have the
authority to access it. Integrity ensures that the information has not been tampered with and that
the information that was accessed or received was indeed the information that was stored or sent
over. Lastly, availability is the idea that all services should constantly be available and should
not be taken down if not intended (2011). I would categorize the mobile phone system of the
company as Moderate, Low, Low. I would rate confidentiality the highest because a mobile
phone could easily be stolen, and information can be intercepted since they transmit wirelessly.
However, I do not think that stolen information from a mobile phone would have a catastrophic
effect on the company. Encryption and remote wipe should be put in place to protect information
on the phone in the case that it is taken. The integrity of the mobile phones is something that I
would categorize as low because there could be adverse effects if information that is transferred
through mobile phone is modified or deleted. However, no critical information should be being
transmitted over cell phone in the first place and there should always be an expectation of losing
information over cell phone. Any important information should not be stored on one’s cell
phone. Lastly, I rated availability as low impact because even if communication fails through the
cell phone, there are other ways of reaching someone such as through email, chat, or landline.
The mobile phone is not the only way of reaching someone else in the company and it would not
result in a catastrophic event to the company if the availability is compromised. Likely at most, it
There are six steps in the Risk Management Framework (RMF) security lifecycle:
categorizing the information system, selecting the security controls, implementing the security
controls, assessing the security controls, authorizing the information system, and monitoring the
security controls. Now that we have categorized the system, the next step would be selecting the
security controls based off this categorization to minimize risk. Controls are pulled from the
NIST 800-53 rev. 5 based on their applicability to the system’s impact ranking. “The controls
have been designed to facilitate compliance with applicable laws, Executive Orders, directives,
policies, regulations, and standards” (2017). Because the cell phones have been categorized as a
moderate, low, low, the baseline common controls that apply to this impact rating can be applied.
All controls will be applied up to the moderate level including some control enhancements. The
NIST SP 800-124 rev.1 specifically addresses the security of mobile devices. The list of major
controls in the NIST SP 800-53 which affect enterprise mobile device security are: AC-3 Access
Enforcement, AC-4 Information Flow Enforcement, AC-17 Remote Access, AC-18 Wireless
Access, AC-19 Access Controls for Mobile Devices, AC-20 Use of External Information
Systems, AT-2 Security Awareness Training, AU-2 Audit Events, CA-7 Continuous Monitoring,
CM-6 Configuration Settings, IA-2 Identification and Authentication (organizational users), IA-3
Transmission Confidentiality and Integrity, SC-28 Flaw Remediation, SI-4 Information System
Monitoring, SI-7 Software, Firmware, and Information Integrity (Souppaya & Scarfone, 2013).
Assuming the applicable controls have been applied to The Gaming Company cell
phones, we can move onto assessing the security controls. The figure below shows an example
Jessica Romio
CSOL 530
Plan of Actions and Milestones (POA&M) for the company cell phones based on its applicable
controls.
Figure 1 - POA&M
The POA&M shows which controls have not been applied, the severity of not applying those
controls, what it would require to fix it, and it tracks if the control has been applied or not. The
Authorizing Official (AO) goes over the POA&M, as well as other artifacts, to determine
whether the risk is worth accepting to authorize the system. In this case, it is likely that the AO
would grant an Authorization to Operate (ATO) for the system since the unapplied controls have
a low severity and are mitigated by other controls. These controls should be applied before it is
The last step of the RMF process is monitoring the security controls. Monitoring the
security controls of the system is an ongoing process that is used to determine how effective the
controls are, any changes to the system, and to make sure it is complying to any applicable laws
policies, and/or standards. One aspect of continuous monitoring is attempting to apply controls
Jessica Romio
CSOL 530
that are included in the POA&M, as mentioned in the previous paragraph. ATOs are typically
applied for a three-year period so some attempt should be made to apply the controls that were
previously left out, in that time period. In this phase of RMF, security should also be checking
for updates and applying patches, as well as testing and deploying them. Each cell phone should
be synced to a common time source, access controls should be reconfigured if needed, and any
anomalies that are detected should be documented. Changes to the hardware and software need
to be tracked by logs and software updates should only be made after testing by security is
performed. Personnel change at the company so it should be tracked which employees have
devices checked out and what applications are needed on that device. If access to a phone is
revoked, permissions need to be taken away from that individual and data needs to be scrubbed
scrubbed when an employee no longer uses the device. Luckily, changes to the working
environment do not make too much of a difference to the cell phone system. Whatever location
the company moves to, or because employees from another organization may be around, lockers
should always be put in place for employees to lock up their phones when not in use.
Assessments should be periodically performed as well as log reviews, vulnerability scans, and
penetration tests. Periodic security training, once a year, should also be given to those who use
the mobile phones. All these continuous monitoring strategies should be stated in the continuous
monitoring plan and should be signed off by both management and security.
There are many different steps that go into the RMF process and the process is never over
as long as the system is in use. An assessment event and obtaining an ATO is not the end of
RMF, continuous monitoring is arguably one of the most important parts of the entire lifecycle
and it is often the longest. A great amount of importance needs to be put into continuous
monitoring and participation from management is necessary to ensure that security is being
Jessica Romio
CSOL 530
applied to the system. Although risk is never completely alleviated, there are controls that can be
put in place to help mitigate the risk and ensure that no threats take place against the system. Cell
phones can be very susceptible to cyber-attacks. “It’s easy to forget that your mobile phone is
essentially a pocket-sized computer and that, just as with any device that can connect to the
Internet, mobile phones are at risk of a cyberattack” (Gilani, 2016). This risk becomes an even
bigger issue when there are many cell phones spread out across many individuals in the
company. It is important that security is taken seriously and that the mentioned controls are
properly implemented to protect the company and its employees from a cyber-attack. Following
the RMF process from start to finish to ensure that the system is categorized, security controls
are selected, implemented, and assessed, and that the system is authorized and monitored are all
important in maintaining security for the system. Following these steps laid out in the paper will
ensure that a minimal amount of risk is introduced to the cell phones of The Gaming Company.
Jessica Romio
CSOL 530
References
Brian, M., Tyson, J., & Layton, J. (2000, November 14). How Cell Phones Work. Retrieved July 13,
https://resources.infosecinstitute.com/cia-triad/#gref
Draft NIST Special Publication 800-53 Revision 5 Security and Privacy Controls for Information
Systems and Organizations. (2017, August). Retrieved July 21, 2019, from
https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-
draft.pdf
FIPS PUB 199 Standards for Security Categorization of Federal Information and Information
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Gilani, S. (2016, November 6). Mobile Phone Security: All You Need to Know. Retrieved July 29,
NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
Souppaya, M., & Scarfone, K. (2013, June). NIST Special Publication 800-124 Revision 1
Guidelines for Managing the Security of Mobile Devices in the Enterprise. Retrieved July 13,