Running head: THE GAMING COMPANY INC.

The Gaming Company Inc.

Jessica Romio, 008394420

Cyber Management

CSOL 550

December 17, 2019

Dr. Moore
THE GAMING COMPANY INC.

Table of Contents

Abstract………………………………………………………………………………pg i

1: Company Summary………………………………………………….……………pg 4

2: Management………………………………………………………….……………pg 4

3: Planning Management……………………………………………….………….…pg 7

4: Implementation Management…………………………………………………...…pg 10

5: Risk Management……………………………………………………………….…pg 11

6: Cost Management………………………………………………………………….pg 13

7: Recommendation…………………………….…………………………………….pg 17

8: Student Assessment of ISSP alignment to Cyber Management ….………………pg 17

References:…………………………………………………………………………....pg 19

2
THE GAMING COMPANY INC.

Abstract

This Information System Security Plan (ISSP) documents the defense of the system and

works to improve the protection of the system and its resources. It provides an overview of the

security requirements and how to put controls in place in order to meet them and mitigate risk.

The plan also describes the responsibilities of each individual involved with the system. This

plan shall be viewed as the planning for the security of the system and shall reflect input from the

system owner and management. The document is a living document and shall be reviewed and

updated periodically. It gives an understanding of the systems involved, its risks, and the security

controls that are needed to maintain an acceptable level of security.

3
THE GAMING COMPANY INC.

1: Company Summary

The Gaming Company Inc. is a video game company that provides the digital distribution

of games that can be purchased by users as well as updates and digital content for these games.

Because the Gaming Company has so many users that rely on the content that is provided by the

company, it is important that the risk to the company is managed and that the information of its

customers is protected. The company provides digital rights management, matchmaking servers,

video streaming, and social networking services. The architecture is comprised of several

servers, routers, switches, and firewalls. The focus of this document shall be the server lab

located in San Diego, CA. This ISSP document shall describe the security goals of its systems

and how to maintain an acceptable level of security.

2: Management

While corporate practices and cybersecurity practices should work together, this is often

not the case and instead they can create opposing objectives. Corporate practices put an emphasis

on creating the biggest possible profit for the company and spending little on extra overhead.

Cybersecurity practices require that proper investment is put into cybersecurity to reduce risk for

the company, and this costs extra money as well as time. It is important for The Gaming

Company Inc. that management understands the importance of both practices and finds the

proper balance between them.

“Cybersecurity is about risk management” (Touhill & Touhill, 2014). The business, its

stakeholders’ investments, and company assets need to be protected while maintaining a

competitive advantage. It is about taking a multidisciplinary approach to managing risk. It is

important that when managing risk, it is not viewed as a technical issue, but an issue that affects
4
THE GAMING COMPANY INC.

the entire company. Security is everyone’s responsibility and managers at each level of the

company should understand the importance of cybersecurity and how to ensure its effectiveness.

Executives typically understand the importance of protecting company information, however

they also want to invest wisely and do not want to overspend in cybersecurity, especially when

they do not understand the positive returns of it. The “manager must be able to clearly see the

pros and cons of certain courses of action and be able to choose and negotiate a compromise

which best serves the organization in the long run” (Wood, 2005). Management must understand

cybersecurity in order to make a proper decision on how the company will invest in it.

Management understands our corporate practices because they work with them constantly and

understand the language of business, but they do not typically understand how cybersecurity

works. Cybersecurity requires many controls to be put in place to mitigate risk and this often

includes complex technical controls. Without strong communication between management and

security professionals, management may not understand the terminology and see the issue as a

purely technological one rather than understanding that its purpose is to support the business.

Poor communication between the two parties can result in an inadequate investment in

cybersecurity, because of the lack of understanding of the importance of its implementation and

how it benefits the company. “The cybersecurity staff must work within business units to

establish and enable a cooperative business/cybersecurity relationship throughout the

organization” (Olstik, 2019). Management at The Gaming Company Inc. is responsible for

investing in a company culture that takes security seriously and promotes open communication

between business units and cybersecurity. With the proper understanding of cybersecurity

practices and the proper investment in the importance of cybersecurity for the company, both

5
THE GAMING COMPANY INC.

practices can work together to protect the company from possible risk and bring about the

greatest return of investment.

2.1 Roles and Responsibilities

There are several roles and responsibilities involved in order to keep The Gaming

Company Inc. systems secure. It is important that these roles are reviewed periodically and that

the responsibilities are kept current. The roles and responsibilities in this section explain the roles

and their associated responsibilities for maintaining security for the system. The Chief

Information Officer (CIO) is responsible for developing and maintaining the security program of

the system which includes developing and maintaining the system security policies, procedures,

and controls in the security planning. They ensure that their personnel are trained and have their

associated responsibilities as well. The Information System Owner (ISO) is responsible for the

development and maintenance of the system, they must ensure that the system is being operated

to the agreed security requirement and updates the security plan if any updates occur. The

Information Owner decides who has access to the system and what privileges they have. The

Senior Agency Information Security Officer (SAISO) is the primary liaison for the CIO to the

information system owners and security officers. They carry out the responsibilities of the CIO

and coordinate with the system owners and security officers and authorizing official. The

Information System Security Officer (ISSO) ensures that the proper security posture is

maintained and assisted the SAISO. Lastly, the Authorizing Official (AO) is the executive that

has the authority to formally assume responsibility for the system and ensures that it is at an

acceptable risk level. They approve the system security plans and authorize the operation of the

system.
6
THE GAMING COMPANY INC.

3: Planning

3.1 Information Security Implementation

The most important part of maintaining a secure working environment for all is the

physical security. We can make the network architecture as secure as possible, however it would

be for nothing if someone is able to simply walk up to the servers and manipulate them as they

wish. The entrance to the company building includes a gate guard as well as a traffic arm. The

guard will be present during the typical company work hours to manually view credentials and

streamline the entrance. Outside of the typical work hours, the traffic arm will be down and will

only raise when the driver scans their smart card and has the proper credentials to enter. There

will also be a 24-hour camera to monitor the entrance and it will be well lit as well to deter

intruders. The parking area shall remain lit whenever dark and monitored constantly by cameras

for the safety of employees as well. The fence surrounding the facility should be raised to 8 feet

to also deter intruders and force authorized persons to go through the gate for accountability

purposes. Raiseable bollards shall be present in front of the traffic arm. Should there be a need

for an extended period of full employee absence from the campus or an emergency, the bollards

can be raised in front of the traffic arm to prevent an intruder from ramming through the area in a

vehicle. The servers will be maintained in the lab in its own separate room. This room will

require additional badge access to enter so only those who are granted permission to work on the

servers can enter. This room is also monitored, and it is controlled by HVAC to maintain a

proper temperature. The room shall have a gaseous agent fire suppression to protect the server

equipment in the case of a fire. Uninterruptible power supplies (UPS) will also be installed to

allow for safe shutdowns in the case of an emergency.

7
THE GAMING COMPANY INC.

All doorways to the main office or lab will be well lit and monitored by a security

camera 24/7. This will not only deter intruders but provide for accountability of who is entering

the building and when they are doing so. In addition to having a key pad which grants access, the

keypads will be configured with time of day settings. Although the typical time settings are set,

employees can always give security a notice if they wish to work off hours or weekends and be

granted temporary door access for those times

3.2 Contingency Planning

A contingency plan is put in place as a plan B, it states the measures to be put in place

should a disruption occur to the company systems and how to restore operations to return to

normal modes of operation with minimal cost and disruption. The hope is that The Gaming

Company Inc. will never need the plan, “but you realize the good times may not always be there.

You recognize there are many risks facing your business and you need contingency plans”

(Touhill & Touhill, 2014). It is important that the contingency plan works with the goals of our

and balances the protection of the network and systems against possible threats, whether they be

man-made or natural disasters. It is important that the contingencies put in place work to protect

the organization in the event of a disaster, while ensuring it still makes sense financially. The

following will explain the needs for protection and explain the key factors that need to be put in

place.

Contingency planning should begin with a management team that represents the various

parts of the organization. They should all work together to ensure the plan is realistic and meets

the needs of the company. The plan must include who is involved and needs to be notified in the

8
THE GAMING COMPANY INC.

event and a disaster. The company also needs to test the plan regularly to ensure that it would

work when an event occurs, the NIST 800-34 states that this should occur at least annually. The

NIST 800-34 also defines a seven-step process to develop the program: 1. Develop the

contingency planning policy statement, 2. Conduct the business impact analysis (BIA), 3.

Identify preventive controls, 4. Create contingency strategies, 5. Develop an information system

contingency plan, 6. Ensure plan testing, training, and exercises, and 7. Ensure plan maintenance.

“These seven progressive steps are designed to be integrated into each stage of the system

development life cycle” (Swanson, Bowan, Phillips, Gallup, & Lynes, 2010). Contingency

planning includes a business impact analysis, incident response planning, disaster recovery

planning and business continuity planning. Each part works on ensuring a response and restoring

operations should a disaster occur.

A contingency plan begins with the goals of the business, “the way business owners

choose to respond to different contingencies will reflect their ultimate goal for the business”

(Hamel, 2016). If the business is in a location prone to certain environmental factors, they would

likely include those mitigations. Government regulations and laws also play a large role in

contingency planning. The plan should include instructions for how the company should deal

with changing regulations and ensure that the plan complies with regulations as well.

Profitability also plays a large role in the planning. While it is important to put money into

security, contingency planning can become expensive and it is important to analyze the worth of

protecting one’s systems. Putting too many protections in place can be expensive and can lessen

work efficiency making it harder to get business done. In the end, the company wants to provide

the proper amount of security while not overspending. A common problem in working
9
THE GAMING COMPANY INC.

contingency planning is deciding whether to operate throughout a disaster, or to suspend work

until the business is completely restored. Management may be tempted to work throughout the

disaster, however this can provide a greater risk to the organization, The Gaming Company Inc.

places human safety above all else and operations should be halted until further instruction. Hot

sites, although expensive, allow the company to continue operations elsewhere in the event of a

disaster.

The Gaming Company Inc. has several hot sites to start up operations quickly and

effectively in the event of an attack or environmental incident. In the event of a disaster, all

operations are to cease operations until official notice. The Gaming Company Inc. has several

environmental protections in place and mitigations to continue operations, however personnel

safety is of the upmost importance and it is critical that management give the proper approval

before operations are continued. In the event of a power outage, The Gaming Company Inc. has

several UPS and generators in place to continue operations until power is restored.

4: Implementation Management

4.1 Proposed Timeline/Execution

The Gaming Company Inc. must implement this ISSP before resuming system use. The

company must implement the plan within six months of the start date of January 1, 2020. The

deadline of completion is June 1, 2020. The roles defined above, as well as several network,

systems, and software engineers shall work together to complete this task.

4.2 Budget

10
THE GAMING COMPANY INC.

The budget to apply the necessary controls and ensure the security of the systems is 2.4

million. This includes the scope of several engineers as well as the necessary management

responsibilities. The scope is for six months, additional time may be added if additional work is

identified.

5: Risk Management

Risk management is defined as “a process that allows individual risk events and overall

risk to be understood and managed proactively, optimizing success by minimizing threats and

maximizing opportunities” (n.d). The goal of any business is to be profitable, The Gaming

Company Inc. is no different, and understanding risk management plays a large role in

determining its success. One needs to understand where to draw the line and how much security

to implement in order to minimize the risk to the company. Not investing enough in security can

result in vulnerabilities being exploited, while investing in too much security can cause the

company to lose profit and the ability to efficiently conduct business. It is important that

management understands where to draw the line and how to balance both extremes so that the

The Gaming Company Inc. can function most efficiently while protecting its customers,

employees, and assets. Iannerelli and O’Shaghnessy pose the question “After all, how much

protection is too much?” (2015).

One of the most important tools in assessing the risk to a company is a cyber

vulnerability audit. An overall assessment “provides an organization with information on the

security weaknesses in its environment and provides direction on how to assess the

risks associated” (Rouse & Rosencrance, 2018). The process is important as it allows the

organization to gain a better understanding of its security posture, vulnerabilities, and overall risk
11
THE GAMING COMPANY INC.

that could possibly be exploited. For the audit, management will decide which systems need to

be assessed, this should likely be any critical infrastructure where important data resides, such as

the server labs. It is important that management defines the scope of the audit and what is not

permitted throughout the system, this should be based to meet the corporate goals of the

companu. While assessing the systems is very important, it could all be useless if the systems are

broken while testing. All defined systems and networks should be scanned with a vulnerability

scanner to determine where the possible vulnerabilities lie, and their severity, and then these can

further be tested by penetration testers. Penetration testers, or “hackers”, are important as they

test which vulnerabilities are exploitable. A vulnerability scanner can pick up many different

possible vulnerabilities, but it is not truly known if they are even a possible threat vector until

someone tests out if it can be exploited. The testers can be internal to the company or external as

there are benefits to both. Internal testers may know the system better and therefore be able to

reach more attack vectors, but external testers will be new to the system and more accurately

depict an outside hacker. These “hackers” are important as they will use everything in their bag

of tools to exploit the system or simply cause it to do what it was not intended to do.

Programmers do not always anticipate every way that a hacker may try to exploit or break the

system, these testers do everything they can to get in and then the results from their report can be

used patch the system and mitigate the risks.

Once risks are identified, and an assessment occurs to identify their risk, analysis and

prioritization of the fixes will occur. During this time, the team will work to identify which are

the highest risks and must be immediately fixed, and which may not even be worth the risk to

mitigate. After this has occurred, there will be an implementation of the fixes as well as
12
THE GAMING COMPANY INC.

continuous monitoring to ensure the security posture of the system. Any possible risks identified

during this time must be identified for possible future fixes.

6: Cost Management

Our company has been very fortunate in that it has not been on the receiving end of a

cyber-attack; however, we cannot assume that this will always be the case. We must continue to

grow our security posture in order to prevent attacks from occurring in the future. “Measuring

the effectiveness of security investments is a challenge. Companies treat costs spent on

cybersecurity more like insurance than a business project: It is recommended, but hard to

put a value on” (Dickson, 2018). The following references two tools and assesses a few

different ways that companies can measure the effectiveness of security. Two tools that are

assessed are the IT Initiative ROI spreadsheet and Federal Financial Institutions Examination

Council (FSSCC) Cybersecurity Assessment Tool (CAT) spreadsheet which will show the fiscal,

economic, and technical risks to the company. The sheets will show the cost and impacts of a

possible attack.

While The Gaming Company Inc. shows little risk overall in the FSSCC Inherit Risk

Profile, the largest amount of risk comes from the Technologies and Connection Types category.

The risk profile takes input based on different Risk Attribute Statements and whether they are

being implemented at the organization. These answers are then aggregated to show the overall

risk of the five categories: Technologies and Connection Types, Delivery Channels,

Online/Mobile Products and Technology Services, Organizational Characteristics, and External

Threats. The fact that our company has the largest amount of risk coming from the Technologies

13
THE GAMING COMPANY INC.

and Connection Types category shows that the largest risk to the company comes from the

technologies that we are using and how they are connected. There is inherent risk because of the

outside connections to the internet and third parties that are not as secure as they should be. The

best way to reduce this risk would be to close all external connections, however this is not a

realistic approach. Investing in anti-virus and cyber related software can help protect our

company from possible cyber-attacks and lower the risk that the company inherently possesses.

The Maturity Results of the FSSCC are based on the Maturity Tool Input which gives

declarative statements for different component and answers of “Yes”, “No”, or “N/A” must be

inputted based on its applicability to the organization. These answers are then outputted in the

Maturity Tool Results where it is shown where the company’s maturity lies in comparison to the

baseline level. Our company falls below the baseline in three major components: Oversight,

Strategy/Policies, and Planning. We also fall low on Due Diligence. This shows that although the

company has a good overall security posture, there are improvements to be made in the key areas

of management oversight, strategy, planning and due diligence. All these components fall under

management and being proactive with security. Although our security posture is currently good,

technology constantly changes, and we cannot assume that we will stay secure without making

advancements and investing in proper tools like antivirus. The Charts of Assessment Factor and

Charts of Components in the FSSCC tool show that Cyber Risk Management and Oversight is

the lowest category for the company and improvements must be made in the areas of

governance, risk management, and training and culture. Enhancements must be made in these

areas to continue the culture of proper risk management and cyber security.

14
THE GAMING COMPANY INC.

While the FSSCC tool identifies risks and cybersecurity preparedness, the IT Initiative

ROI spreadsheet takes an economical approach to the risk and shows the ROI and business value

of investing in cybersecurity. This tool was filled out twice, once with Security Initiatives in

mind to invest in anti-malware and protect from phishing attacks, and another time with Server

Hardware/Software Upgrades included so that company assets can be upgraded, and investment

can be put into improved reliability, robustness, and manageability to protect from Denial of

Service (DoS) attacks. The ROI spreadsheet does not consider the security weaknesses of the

company, but simply outputs the estimated costs and returns of investing in security. In both

examples, most of the cost to implement the security upgrades would be in hardware. Although

this is a large upfront cost, it is one that would pay itself off over the years in security and a

reduction in maintenance costs. New hardware upgrades would not be necessary for several

years. Each upgrade for a total of 1000 PC upgrades would equal an upfront cost of 2.4 million

dollars but would save the company $89,000 - $204,595 total over a three-year span. Each

example also shows increased employee productivity as well as company revenue. It is important

that investments be put in place not only for security, but also because it increases the ROI for

the company.

Although calculating ROI for cybersecurity may seem difficult, there are many different

types of tools that can assist in its analysis. Just within the two tools used in this example, two

different key values were assessed: cost and risk. While one tool was better in analyzing the risk

to the company, the other did better in assessing the costs and return values. There are many

other tools that help to asses ROI as well. The Forbes Technology Council explains, “We have

adapted a framework for threats and vulnerabilities that we created by combining a modified
15
THE GAMING COMPANY INC.

MITRE kill chain with groundbreaking research from MIT on industrial accident prevention

called STAMP. We call this cyber methodology STACHT (pronounced “stacked”), which stands

for system theoretic analysis of cyber hazards and threats” (Coden, 2019). This tool assesses the

probability of each of the six steps involved in a cyber attack being compromised based on the

controls put in place to mitigate them. This just one other example of the many tools being used

to assess ROI in cybersecurity. One of the reasons that companies find it difficult to invest in

cybersecurity is because “spending money on something that might not have happened yet to

prevent it occurring, is a hard pill to swallow” (2019). ROI calculators help to show how

spending the money upfront for security can benefit the company later and save money. The

problem is that typically, mathematical equations are based off variables and constants, numbers.

Security does not typically give us specific numbers to work off and because of that there is

often some amount of guessing and estimating involved. These ROI tools do the best to give us

some form of a quantifiable outcome and give us something to analyze and decide the best

investment for the company. Because there is some form of estimating to be done, values can

vary based on the tools being used and the individuals doing the study. The analysis done on the

FSSCC and the ROI spreadsheet alone showed two different goals, one on minimizing risk, and

the other on maximizing return. It is important that companies choose the best tool to match their

needs and what will show the information that they are looking for. Simply because ROI and risk

analysis may be difficult to analyze in cybersecurity due to obscurity and lack of definitive

numbers, this is no excuse to not use tools to help assess whether tools or mitigations should be

implemented for better security and if the worth is there for the company. “Today, many CIOs

and CISOs make an educated guess with no quantitative or systematic way of knowing which is

16
THE GAMING COMPANY INC.

best” (Coden, 2019). Using some type of established framework can give management a more

systematic way of approaching cybersecurity.

7: Analysis & Recommendation Management

7.1 Key Elements

Although The Gaming Company Inc. is currently in good security standing, it is

important that any identified risks are mitigate to prevent a future attack from occurring. One

cannot assume because an attack has not occurred yet, that it will not in the future. Assessing the

risk of the company’s server lab and putting in place the proper controls, as well as periodically

assessing them, should put the company in a good security standing.

7.2 Conclusion and Future Work

Any future work shall be identified at the end of the six-month implementation.

Additional work may include mitigating additional controls to risks that were later identified,

continuous monitoring, documentation updates, or any other identified work. Cyber security and

risk management is an ongoing cycle and does not simply end after the first identified controls

are implemented. Technology changes and companies change, and it is important that this

document is updated to reflect that, and controls are assessed to reflect that as well.

8: Student Assessment of ISSP to Cyber Management

Cyber security is an important part of any company and unfortunately it is an area that is

often overlooked. By reading this ISSP and following through with system protections, The

Gaming Company Inc. can continue to prevent any cyber-attacks from occurring and keep their

good security standing. It is important that this document is reviewed periodically and updated,

and roles and system changes occur. I believe that this ISSP provides a comprehensive summary
17
THE GAMING COMPANY INC.

of the security controls and implementations that must occur in order to prevent risk of a cyber-

attack.

18
 THE GAMING COMPANY INC.

References:

Oltsik, J. (2019, February 19). Enterprises need to embrace top-down cybersecurity management.

Retrieved October 27, 2019, from

https://www.csoonline.com/article/3342036/enterprises-need-to-embrace-top-down-

cybersecurity-management.html.

Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives: A Practical Guide.

Hoboken, NJ: Wiley.

Wood, C. C. (2005, September). Ability to resolve conflicts between security and business

objectives. Retrieved October 27, 2019, from

https://searchsecurity.techtarget.com/feature/Ability-to-resolve-conflicts-between-security-and-

business-objectives.

Goldman, J. (2019, April 17). What is risk management? Retrieved November 9, 2019, from

https://www.apm.org.uk/body-of-knowledge/delivery/risk-management/.

Iannerelli, J. G., & O'Shaughnessy, M. (2015). Information Governance and Security: Protecting

and Managing Your Company's Proprietary Information. Amsterdam: Elsevier.

Rouse, M., & Rosencrance, L. (2018, April). What is a Vulnerability Assessment (Vulnerability

Analysis)? - Definition from WhatIs.com. Retrieved November 9, 2019, from

https://searchsecurity.techtarget.com/definition/vulnerability-assessment-vulnerability-analysis.

What is risk management? (n.d.). Retrieved November 9, 2019, from https://www.apm.org.uk/body-

of-knowledge/delivery/risk-management/.

19
 THE GAMING COMPANY INC.

Hamel, G. (2016, October 26). Factors That Influence Contingency Planning. Retrieved November

15, 2019, from https://smallbusiness.chron.com/factors-influence-contingency-planning-

12290.html.

Swanson, M., Bowan, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). NIST Special

Publication 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems .

Retrieved November 15, 2019, from

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

Touhill, G. J., & Touhill, C. J. (2014). Cybersecurity for Executives: A Practical Guide.

Hoboken, NJ: Wiley.

Walsh, D. (2012, October 31). The 5 Steps Of Contingency Planning. Retrieved November 15,

2019, from https://www.lifescienceleader.com/doc/the-steps-of-contingency-planning-0001.

Coden, M. (2019, May 9). Yes, Virginia, You Can Calculate ROI For Cybersecurity Budgets.

Retrieved November 25, 2019, from

https://www.forbes.com/sites/forbestechcouncil/2019/05/09/yes-virginia-you-can-calculate-roi-

for-cybersecurity-budgets/#448ee8a93ad4.

Dickson, S. (2018, September 23). How to Measure the ROI of Cybersecurity Investments -

ITSPmagazine ITSPmagazine: At the Intersection of Technology, Cybersecurity, and Society.

Retrieved November 25, 2019, from https://www.itspmagazine.com/from-the-newsroom/how-to-

measure-the-roi-of-cybersecurity-investments.

20
 THE GAMING COMPANY INC.

Is It Possible to Calculate an ROI for Security Awareness Training? (2019, November 18).

Retrieved November 25, 2019, from https://thedefenceworks.com/blog/is-it-possible-to-

calculate-an-roi-for-security-awareness-training/.

21