Documente Academic
Documente Profesional
Documente Cultură
Cyber Management
CSOL 550
Dr. Moore
THE GAMING COMPANY INC.
Table of Contents
Abstract………………………………………………………………………………pg i
1: Company Summary………………………………………………….……………pg 4
2: Management………………………………………………………….……………pg 4
3: Planning Management……………………………………………….………….…pg 7
4: Implementation Management…………………………………………………...…pg 10
5: Risk Management……………………………………………………………….…pg 11
6: Cost Management………………………………………………………………….pg 13
7: Recommendation…………………………….…………………………………….pg 17
References:…………………………………………………………………………....pg 19
2
THE GAMING COMPANY INC.
Abstract
This Information System Security Plan (ISSP) documents the defense of the system and
works to improve the protection of the system and its resources. It provides an overview of the
security requirements and how to put controls in place in order to meet them and mitigate risk.
The plan also describes the responsibilities of each individual involved with the system. This
plan shall be viewed as the planning for the security of the system and shall reflect input from the
system owner and management. The document is a living document and shall be reviewed and
updated periodically. It gives an understanding of the systems involved, its risks, and the security
3
THE GAMING COMPANY INC.
1: Company Summary
The Gaming Company Inc. is a video game company that provides the digital distribution
of games that can be purchased by users as well as updates and digital content for these games.
Because the Gaming Company has so many users that rely on the content that is provided by the
company, it is important that the risk to the company is managed and that the information of its
customers is protected. The company provides digital rights management, matchmaking servers,
video streaming, and social networking services. The architecture is comprised of several
servers, routers, switches, and firewalls. The focus of this document shall be the server lab
located in San Diego, CA. This ISSP document shall describe the security goals of its systems
2: Management
While corporate practices and cybersecurity practices should work together, this is often
not the case and instead they can create opposing objectives. Corporate practices put an emphasis
on creating the biggest possible profit for the company and spending little on extra overhead.
Cybersecurity practices require that proper investment is put into cybersecurity to reduce risk for
the company, and this costs extra money as well as time. It is important for The Gaming
Company Inc. that management understands the importance of both practices and finds the
“Cybersecurity is about risk management” (Touhill & Touhill, 2014). The business, its
important that when managing risk, it is not viewed as a technical issue, but an issue that affects
4
THE GAMING COMPANY INC.
the entire company. Security is everyone’s responsibility and managers at each level of the
company should understand the importance of cybersecurity and how to ensure its effectiveness.
they also want to invest wisely and do not want to overspend in cybersecurity, especially when
they do not understand the positive returns of it. The “manager must be able to clearly see the
pros and cons of certain courses of action and be able to choose and negotiate a compromise
which best serves the organization in the long run” (Wood, 2005). Management must understand
cybersecurity in order to make a proper decision on how the company will invest in it.
Management understands our corporate practices because they work with them constantly and
understand the language of business, but they do not typically understand how cybersecurity
works. Cybersecurity requires many controls to be put in place to mitigate risk and this often
includes complex technical controls. Without strong communication between management and
security professionals, management may not understand the terminology and see the issue as a
purely technological one rather than understanding that its purpose is to support the business.
Poor communication between the two parties can result in an inadequate investment in
cybersecurity, because of the lack of understanding of the importance of its implementation and
how it benefits the company. “The cybersecurity staff must work within business units to
organization” (Olstik, 2019). Management at The Gaming Company Inc. is responsible for
investing in a company culture that takes security seriously and promotes open communication
between business units and cybersecurity. With the proper understanding of cybersecurity
practices and the proper investment in the importance of cybersecurity for the company, both
5
THE GAMING COMPANY INC.
practices can work together to protect the company from possible risk and bring about the
There are several roles and responsibilities involved in order to keep The Gaming
Company Inc. systems secure. It is important that these roles are reviewed periodically and that
the responsibilities are kept current. The roles and responsibilities in this section explain the roles
and their associated responsibilities for maintaining security for the system. The Chief
Information Officer (CIO) is responsible for developing and maintaining the security program of
the system which includes developing and maintaining the system security policies, procedures,
and controls in the security planning. They ensure that their personnel are trained and have their
associated responsibilities as well. The Information System Owner (ISO) is responsible for the
development and maintenance of the system, they must ensure that the system is being operated
to the agreed security requirement and updates the security plan if any updates occur. The
Information Owner decides who has access to the system and what privileges they have. The
Senior Agency Information Security Officer (SAISO) is the primary liaison for the CIO to the
information system owners and security officers. They carry out the responsibilities of the CIO
and coordinate with the system owners and security officers and authorizing official. The
Information System Security Officer (ISSO) ensures that the proper security posture is
maintained and assisted the SAISO. Lastly, the Authorizing Official (AO) is the executive that
has the authority to formally assume responsibility for the system and ensures that it is at an
acceptable risk level. They approve the system security plans and authorize the operation of the
system.
6
THE GAMING COMPANY INC.
3: Planning
The most important part of maintaining a secure working environment for all is the
physical security. We can make the network architecture as secure as possible, however it would
be for nothing if someone is able to simply walk up to the servers and manipulate them as they
wish. The entrance to the company building includes a gate guard as well as a traffic arm. The
guard will be present during the typical company work hours to manually view credentials and
streamline the entrance. Outside of the typical work hours, the traffic arm will be down and will
only raise when the driver scans their smart card and has the proper credentials to enter. There
will also be a 24-hour camera to monitor the entrance and it will be well lit as well to deter
intruders. The parking area shall remain lit whenever dark and monitored constantly by cameras
for the safety of employees as well. The fence surrounding the facility should be raised to 8 feet
to also deter intruders and force authorized persons to go through the gate for accountability
purposes. Raiseable bollards shall be present in front of the traffic arm. Should there be a need
for an extended period of full employee absence from the campus or an emergency, the bollards
can be raised in front of the traffic arm to prevent an intruder from ramming through the area in a
vehicle. The servers will be maintained in the lab in its own separate room. This room will
require additional badge access to enter so only those who are granted permission to work on the
servers can enter. This room is also monitored, and it is controlled by HVAC to maintain a
proper temperature. The room shall have a gaseous agent fire suppression to protect the server
equipment in the case of a fire. Uninterruptible power supplies (UPS) will also be installed to
All doorways to the main office or lab will be well lit and monitored by a security
camera 24/7. This will not only deter intruders but provide for accountability of who is entering
the building and when they are doing so. In addition to having a key pad which grants access, the
keypads will be configured with time of day settings. Although the typical time settings are set,
employees can always give security a notice if they wish to work off hours or weekends and be
A contingency plan is put in place as a plan B, it states the measures to be put in place
should a disruption occur to the company systems and how to restore operations to return to
normal modes of operation with minimal cost and disruption. The hope is that The Gaming
Company Inc. will never need the plan, “but you realize the good times may not always be there.
You recognize there are many risks facing your business and you need contingency plans”
(Touhill & Touhill, 2014). It is important that the contingency plan works with the goals of our
and balances the protection of the network and systems against possible threats, whether they be
man-made or natural disasters. It is important that the contingencies put in place work to protect
the organization in the event of a disaster, while ensuring it still makes sense financially. The
following will explain the needs for protection and explain the key factors that need to be put in
place.
Contingency planning should begin with a management team that represents the various
parts of the organization. They should all work together to ensure the plan is realistic and meets
the needs of the company. The plan must include who is involved and needs to be notified in the
8
THE GAMING COMPANY INC.
event and a disaster. The company also needs to test the plan regularly to ensure that it would
work when an event occurs, the NIST 800-34 states that this should occur at least annually. The
NIST 800-34 also defines a seven-step process to develop the program: 1. Develop the
contingency planning policy statement, 2. Conduct the business impact analysis (BIA), 3.
contingency plan, 6. Ensure plan testing, training, and exercises, and 7. Ensure plan maintenance.
“These seven progressive steps are designed to be integrated into each stage of the system
development life cycle” (Swanson, Bowan, Phillips, Gallup, & Lynes, 2010). Contingency
planning includes a business impact analysis, incident response planning, disaster recovery
planning and business continuity planning. Each part works on ensuring a response and restoring
A contingency plan begins with the goals of the business, “the way business owners
choose to respond to different contingencies will reflect their ultimate goal for the business”
(Hamel, 2016). If the business is in a location prone to certain environmental factors, they would
likely include those mitigations. Government regulations and laws also play a large role in
contingency planning. The plan should include instructions for how the company should deal
with changing regulations and ensure that the plan complies with regulations as well.
Profitability also plays a large role in the planning. While it is important to put money into
security, contingency planning can become expensive and it is important to analyze the worth of
protecting one’s systems. Putting too many protections in place can be expensive and can lessen
work efficiency making it harder to get business done. In the end, the company wants to provide
the proper amount of security while not overspending. A common problem in working
9
THE GAMING COMPANY INC.
until the business is completely restored. Management may be tempted to work throughout the
disaster, however this can provide a greater risk to the organization, The Gaming Company Inc.
places human safety above all else and operations should be halted until further instruction. Hot
sites, although expensive, allow the company to continue operations elsewhere in the event of a
disaster.
The Gaming Company Inc. has several hot sites to start up operations quickly and
effectively in the event of an attack or environmental incident. In the event of a disaster, all
operations are to cease operations until official notice. The Gaming Company Inc. has several
safety is of the upmost importance and it is critical that management give the proper approval
before operations are continued. In the event of a power outage, The Gaming Company Inc. has
several UPS and generators in place to continue operations until power is restored.
4: Implementation Management
The Gaming Company Inc. must implement this ISSP before resuming system use. The
company must implement the plan within six months of the start date of January 1, 2020. The
deadline of completion is June 1, 2020. The roles defined above, as well as several network,
systems, and software engineers shall work together to complete this task.
4.2 Budget
10
THE GAMING COMPANY INC.
The budget to apply the necessary controls and ensure the security of the systems is 2.4
million. This includes the scope of several engineers as well as the necessary management
responsibilities. The scope is for six months, additional time may be added if additional work is
identified.
5: Risk Management
Risk management is defined as “a process that allows individual risk events and overall
risk to be understood and managed proactively, optimizing success by minimizing threats and
maximizing opportunities” (n.d). The goal of any business is to be profitable, The Gaming
Company Inc. is no different, and understanding risk management plays a large role in
determining its success. One needs to understand where to draw the line and how much security
to implement in order to minimize the risk to the company. Not investing enough in security can
result in vulnerabilities being exploited, while investing in too much security can cause the
company to lose profit and the ability to efficiently conduct business. It is important that
management understands where to draw the line and how to balance both extremes so that the
The Gaming Company Inc. can function most efficiently while protecting its customers,
employees, and assets. Iannerelli and O’Shaghnessy pose the question “After all, how much
One of the most important tools in assessing the risk to a company is a cyber
security weaknesses in its environment and provides direction on how to assess the
risks associated” (Rouse & Rosencrance, 2018). The process is important as it allows the
organization to gain a better understanding of its security posture, vulnerabilities, and overall risk
11
THE GAMING COMPANY INC.
that could possibly be exploited. For the audit, management will decide which systems need to
be assessed, this should likely be any critical infrastructure where important data resides, such as
the server labs. It is important that management defines the scope of the audit and what is not
permitted throughout the system, this should be based to meet the corporate goals of the
companu. While assessing the systems is very important, it could all be useless if the systems are
broken while testing. All defined systems and networks should be scanned with a vulnerability
scanner to determine where the possible vulnerabilities lie, and their severity, and then these can
further be tested by penetration testers. Penetration testers, or “hackers”, are important as they
test which vulnerabilities are exploitable. A vulnerability scanner can pick up many different
possible vulnerabilities, but it is not truly known if they are even a possible threat vector until
someone tests out if it can be exploited. The testers can be internal to the company or external as
there are benefits to both. Internal testers may know the system better and therefore be able to
reach more attack vectors, but external testers will be new to the system and more accurately
depict an outside hacker. These “hackers” are important as they will use everything in their bag
of tools to exploit the system or simply cause it to do what it was not intended to do.
Programmers do not always anticipate every way that a hacker may try to exploit or break the
system, these testers do everything they can to get in and then the results from their report can be
Once risks are identified, and an assessment occurs to identify their risk, analysis and
prioritization of the fixes will occur. During this time, the team will work to identify which are
the highest risks and must be immediately fixed, and which may not even be worth the risk to
mitigate. After this has occurred, there will be an implementation of the fixes as well as
12
THE GAMING COMPANY INC.
continuous monitoring to ensure the security posture of the system. Any possible risks identified
6: Cost Management
Our company has been very fortunate in that it has not been on the receiving end of a
cyber-attack; however, we cannot assume that this will always be the case. We must continue to
grow our security posture in order to prevent attacks from occurring in the future. “Measuring
cybersecurity more like insurance than a business project: It is recommended, but hard to
put a value on” (Dickson, 2018). The following references two tools and assesses a few
different ways that companies can measure the effectiveness of security. Two tools that are
assessed are the IT Initiative ROI spreadsheet and Federal Financial Institutions Examination
Council (FSSCC) Cybersecurity Assessment Tool (CAT) spreadsheet which will show the fiscal,
economic, and technical risks to the company. The sheets will show the cost and impacts of a
possible attack.
While The Gaming Company Inc. shows little risk overall in the FSSCC Inherit Risk
Profile, the largest amount of risk comes from the Technologies and Connection Types category.
The risk profile takes input based on different Risk Attribute Statements and whether they are
being implemented at the organization. These answers are then aggregated to show the overall
risk of the five categories: Technologies and Connection Types, Delivery Channels,
Threats. The fact that our company has the largest amount of risk coming from the Technologies
13
THE GAMING COMPANY INC.
and Connection Types category shows that the largest risk to the company comes from the
technologies that we are using and how they are connected. There is inherent risk because of the
outside connections to the internet and third parties that are not as secure as they should be. The
best way to reduce this risk would be to close all external connections, however this is not a
realistic approach. Investing in anti-virus and cyber related software can help protect our
company from possible cyber-attacks and lower the risk that the company inherently possesses.
The Maturity Results of the FSSCC are based on the Maturity Tool Input which gives
declarative statements for different component and answers of “Yes”, “No”, or “N/A” must be
inputted based on its applicability to the organization. These answers are then outputted in the
Maturity Tool Results where it is shown where the company’s maturity lies in comparison to the
baseline level. Our company falls below the baseline in three major components: Oversight,
Strategy/Policies, and Planning. We also fall low on Due Diligence. This shows that although the
company has a good overall security posture, there are improvements to be made in the key areas
of management oversight, strategy, planning and due diligence. All these components fall under
management and being proactive with security. Although our security posture is currently good,
technology constantly changes, and we cannot assume that we will stay secure without making
advancements and investing in proper tools like antivirus. The Charts of Assessment Factor and
Charts of Components in the FSSCC tool show that Cyber Risk Management and Oversight is
the lowest category for the company and improvements must be made in the areas of
governance, risk management, and training and culture. Enhancements must be made in these
areas to continue the culture of proper risk management and cyber security.
14
THE GAMING COMPANY INC.
While the FSSCC tool identifies risks and cybersecurity preparedness, the IT Initiative
ROI spreadsheet takes an economical approach to the risk and shows the ROI and business value
of investing in cybersecurity. This tool was filled out twice, once with Security Initiatives in
mind to invest in anti-malware and protect from phishing attacks, and another time with Server
Hardware/Software Upgrades included so that company assets can be upgraded, and investment
can be put into improved reliability, robustness, and manageability to protect from Denial of
Service (DoS) attacks. The ROI spreadsheet does not consider the security weaknesses of the
company, but simply outputs the estimated costs and returns of investing in security. In both
examples, most of the cost to implement the security upgrades would be in hardware. Although
this is a large upfront cost, it is one that would pay itself off over the years in security and a
reduction in maintenance costs. New hardware upgrades would not be necessary for several
years. Each upgrade for a total of 1000 PC upgrades would equal an upfront cost of 2.4 million
dollars but would save the company $89,000 - $204,595 total over a three-year span. Each
example also shows increased employee productivity as well as company revenue. It is important
that investments be put in place not only for security, but also because it increases the ROI for
the company.
Although calculating ROI for cybersecurity may seem difficult, there are many different
types of tools that can assist in its analysis. Just within the two tools used in this example, two
different key values were assessed: cost and risk. While one tool was better in analyzing the risk
to the company, the other did better in assessing the costs and return values. There are many
other tools that help to asses ROI as well. The Forbes Technology Council explains, “We have
adapted a framework for threats and vulnerabilities that we created by combining a modified
15
THE GAMING COMPANY INC.
MITRE kill chain with groundbreaking research from MIT on industrial accident prevention
called STAMP. We call this cyber methodology STACHT (pronounced “stacked”), which stands
for system theoretic analysis of cyber hazards and threats” (Coden, 2019). This tool assesses the
probability of each of the six steps involved in a cyber attack being compromised based on the
controls put in place to mitigate them. This just one other example of the many tools being used
to assess ROI in cybersecurity. One of the reasons that companies find it difficult to invest in
cybersecurity is because “spending money on something that might not have happened yet to
prevent it occurring, is a hard pill to swallow” (2019). ROI calculators help to show how
spending the money upfront for security can benefit the company later and save money. The
problem is that typically, mathematical equations are based off variables and constants, numbers.
Security does not typically give us specific numbers to work off and because of that there is
often some amount of guessing and estimating involved. These ROI tools do the best to give us
some form of a quantifiable outcome and give us something to analyze and decide the best
investment for the company. Because there is some form of estimating to be done, values can
vary based on the tools being used and the individuals doing the study. The analysis done on the
FSSCC and the ROI spreadsheet alone showed two different goals, one on minimizing risk, and
the other on maximizing return. It is important that companies choose the best tool to match their
needs and what will show the information that they are looking for. Simply because ROI and risk
analysis may be difficult to analyze in cybersecurity due to obscurity and lack of definitive
numbers, this is no excuse to not use tools to help assess whether tools or mitigations should be
implemented for better security and if the worth is there for the company. “Today, many CIOs
and CISOs make an educated guess with no quantitative or systematic way of knowing which is
16
THE GAMING COMPANY INC.
best” (Coden, 2019). Using some type of established framework can give management a more
important that any identified risks are mitigate to prevent a future attack from occurring. One
cannot assume because an attack has not occurred yet, that it will not in the future. Assessing the
risk of the company’s server lab and putting in place the proper controls, as well as periodically
Any future work shall be identified at the end of the six-month implementation.
Additional work may include mitigating additional controls to risks that were later identified,
continuous monitoring, documentation updates, or any other identified work. Cyber security and
risk management is an ongoing cycle and does not simply end after the first identified controls
are implemented. Technology changes and companies change, and it is important that this
document is updated to reflect that, and controls are assessed to reflect that as well.
Cyber security is an important part of any company and unfortunately it is an area that is
often overlooked. By reading this ISSP and following through with system protections, The
Gaming Company Inc. can continue to prevent any cyber-attacks from occurring and keep their
good security standing. It is important that this document is reviewed periodically and updated,
and roles and system changes occur. I believe that this ISSP provides a comprehensive summary
17
THE GAMING COMPANY INC.
of the security controls and implementations that must occur in order to prevent risk of a cyber-
attack.
18
THE GAMING COMPANY INC.
References:
Oltsik, J. (2019, February 19). Enterprises need to embrace top-down cybersecurity management.
https://www.csoonline.com/article/3342036/enterprises-need-to-embrace-top-down-
cybersecurity-management.html.
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives: A Practical Guide.
Wood, C. C. (2005, September). Ability to resolve conflicts between security and business
https://searchsecurity.techtarget.com/feature/Ability-to-resolve-conflicts-between-security-and-
business-objectives.
Goldman, J. (2019, April 17). What is risk management? Retrieved November 9, 2019, from
https://www.apm.org.uk/body-of-knowledge/delivery/risk-management/.
Iannerelli, J. G., & O'Shaughnessy, M. (2015). Information Governance and Security: Protecting
Rouse, M., & Rosencrance, L. (2018, April). What is a Vulnerability Assessment (Vulnerability
https://searchsecurity.techtarget.com/definition/vulnerability-assessment-vulnerability-analysis.
of-knowledge/delivery/risk-management/.
19
THE GAMING COMPANY INC.
Hamel, G. (2016, October 26). Factors That Influence Contingency Planning. Retrieved November
12290.html.
Swanson, M., Bowan, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). NIST Special
Publication 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems .
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives: A Practical Guide.
Walsh, D. (2012, October 31). The 5 Steps Of Contingency Planning. Retrieved November 15,
Coden, M. (2019, May 9). Yes, Virginia, You Can Calculate ROI For Cybersecurity Budgets.
https://www.forbes.com/sites/forbestechcouncil/2019/05/09/yes-virginia-you-can-calculate-roi-
for-cybersecurity-budgets/#448ee8a93ad4.
Dickson, S. (2018, September 23). How to Measure the ROI of Cybersecurity Investments -
measure-the-roi-of-cybersecurity-investments.
20
THE GAMING COMPANY INC.
Is It Possible to Calculate an ROI for Security Awareness Training? (2019, November 18).
calculate-an-roi-for-security-awareness-training/.
21