Jessica Romio

CSOL 530

CSOL 530 Final Paper

The Gaming Company Inc. is a video game company that provides the digital distribution

of games that can be purchased by users as well as updates and digital content for these games.

Because the Gaming Company has so many users that rely on the content that is provided by the

company, it is important that the risk to the company is managed and the three elements of the

CIA Triad are properly maintained amongst all company assets. The system in the focus of this

discussion will be the cell phones which are assigned to employees who need them at the

company. The following paper will discuss how risk is assessed to the system, how it is

authorized, and how it is monitored once it is in operation.

Today’s cell phones are not only a mobile phone, but they are a handheld computer as

well. Because they are both a mobile phone and a computer, our cell phones process and transmit

a lot of different types of information. A cell phone can contain information ranging from health

or location data to stored passwords and credit card information. Our company not only provides

work cell phones to employees, but we have a wireless network set up as well and allow the use

of personal devices. Mobile phones require more protection than other devices because “their

nature generally places them at higher exposure to threats than other client devices” (Souppaya

& Scarfone, 2013). They transmit information wirelessly and therefore do not require a physical

connection to steal information and they are also small and typically easy to lose or steal.

Because the company provides work cell phones which are constantly being used to transmit

work related information and we allow the use of personal devices, it is our responsibility to

ensure that security is being taken seriously when it comes to cell phones and the proper

protections are put in place.

 Jessica Romio
CSOL 530

In the Risk Management Framework, the three concepts used to categorize a system are

Confidentiality, Integrity, and Availability. Confidentiality revolves around the principle that

information should only be available to those that require it and should not be accessible to

everyone. It is the idea that information should be protected from those who do not have the

authority to access it. Integrity ensures that the information has not been tampered with and that

the information that was accessed or received was indeed the information that was stored or sent

over. Lastly, availability is the idea that all services should constantly be available and should

not be taken down if not intended (2011). I would categorize the mobile phone system of the

company as Moderate, Low, Low. I would rate confidentiality the highest because a mobile

phone could easily be stolen, and information can be intercepted since they transmit wirelessly.

However, I do not think that stolen information from a mobile phone would have a catastrophic

effect on the company. Encryption and remote wipe should be put in place to protect information

on the phone in the case that it is taken. The integrity of the mobile phones is something that I

would categorize as low because there could be adverse effects if information that is transferred

through mobile phone is modified or deleted. However, no critical information should be being

transmitted over cell phone in the first place and there should always be an expectation of losing

information over cell phone. Any important information should not be stored on one’s cell

phone. Lastly, I rated availability as low impact because even if communication fails through the

cell phone, there are other ways of reaching someone such as through email, chat, or landline.

The mobile phone is not the only way of reaching someone else in the company and it would not

result in a catastrophic event to the company if the availability is compromised. Likely at most, it

would be an inconvenience to the employees.

 Jessica Romio
CSOL 530

There are six steps in the Risk Management Framework (RMF) security lifecycle:

categorizing the information system, selecting the security controls, implementing the security

controls, assessing the security controls, authorizing the information system, and monitoring the

security controls. Now that we have categorized the system, the next step would be selecting the

security controls based off this categorization to minimize risk. Controls are pulled from the

NIST 800-53 rev. 5 based on their applicability to the system’s impact ranking. “The controls

have been designed to facilitate compliance with applicable laws, Executive Orders, directives,

policies, regulations, and standards” (2017). Because the cell phones have been categorized as a

moderate, low, low, the baseline common controls that apply to this impact rating can be applied.

All controls will be applied up to the moderate level including some control enhancements. The

NIST SP 800-124 rev.1 specifically addresses the security of mobile devices. The list of major

controls in the NIST SP 800-53 which affect enterprise mobile device security are: AC-3 Access

Enforcement, AC-4 Information Flow Enforcement, AC-17 Remote Access, AC-18 Wireless

Access, AC-19 Access Controls for Mobile Devices, AC-20 Use of External Information

Systems, AT-2 Security Awareness Training, AU-2 Audit Events, CA-7 Continuous Monitoring,

CM-6 Configuration Settings, IA-2 Identification and Authentication (organizational users), IA-3

Device Identification and Authentication, IA-5 Authenticator Management, MP-6 Media

Sanitization, SC-4 Information in Shared Resources, SC-7 Boundary Protection, SC-8

Transmission Confidentiality and Integrity, SC-28 Flaw Remediation, SI-4 Information System

Monitoring, SI-7 Software, Firmware, and Information Integrity (Souppaya & Scarfone, 2013).

Assuming the applicable controls have been applied to The Gaming Company cell

phones, we can move onto assessing the security controls. The figure below shows an example
 Jessica Romio
CSOL 530

Plan of Actions and Milestones (POA&M) for the company cell phones based on its applicable

controls.

Figure 1 - POA&M
The POA&M shows which controls have not been applied, the severity of not applying those

controls, what it would require to fix it, and it tracks if the control has been applied or not. The

Authorizing Official (AO) goes over the POA&M, as well as other artifacts, to determine

whether the risk is worth accepting to authorize the system. In this case, it is likely that the AO

would grant an Authorization to Operate (ATO) for the system since the unapplied controls have

a low severity and are mitigated by other controls. These controls should be applied before it is

time for the next ATO for the system.

The last step of the RMF process is monitoring the security controls. Monitoring the

security controls of the system is an ongoing process that is used to determine how effective the

controls are, any changes to the system, and to make sure it is complying to any applicable laws

policies, and/or standards. One aspect of continuous monitoring is attempting to apply controls
 Jessica Romio
CSOL 530

that are included in the POA&M, as mentioned in the previous paragraph. ATOs are typically

applied for a three-year period so some attempt should be made to apply the controls that were

previously left out, in that time period. In this phase of RMF, security should also be checking

for updates and applying patches, as well as testing and deploying them. Each cell phone should

be synced to a common time source, access controls should be reconfigured if needed, and any

anomalies that are detected should be documented. Changes to the hardware and software need

to be tracked by logs and software updates should only be made after testing by security is

performed. Personnel change at the company so it should be tracked which employees have

devices checked out and what applications are needed on that device. If access to a phone is

revoked, permissions need to be taken away from that individual and data needs to be scrubbed

scrubbed when an employee no longer uses the device. Luckily, changes to the working

environment do not make too much of a difference to the cell phone system. Whatever location

the company moves to, or because employees from another organization may be around, lockers

should always be put in place for employees to lock up their phones when not in use.

Assessments should be periodically performed as well as log reviews, vulnerability scans, and

penetration tests. Periodic security training, once a year, should also be given to those who use

the mobile phones. All these continuous monitoring strategies should be stated in the continuous

monitoring plan and should be signed off by both management and security.

There are many different steps that go into the RMF process and the process is never over

as long as the system is in use. An assessment event and obtaining an ATO is not the end of

RMF, continuous monitoring is arguably one of the most important parts of the entire lifecycle

and it is often the longest. A great amount of importance needs to be put into continuous

monitoring and participation from management is necessary to ensure that security is being
 Jessica Romio
CSOL 530

applied to the system. Although risk is never completely alleviated, there are controls that can be

put in place to help mitigate the risk and ensure that no threats take place against the system. Cell

phones can be very susceptible to cyber-attacks. “It’s easy to forget that your mobile phone is

essentially a pocket-sized computer and that, just as with any device that can connect to the

Internet, mobile phones are at risk of a cyberattack” (Gilani, 2016). This risk becomes an even

bigger issue when there are many cell phones spread out across many individuals in the

company. It is important that security is taken seriously and that the mentioned controls are

properly implemented to protect the company and its employees from a cyber-attack. Following

the RMF process from start to finish to ensure that the system is categorized, security controls

are selected, implemented, and assessed, and that the system is authorized and monitored are all

important in maintaining security for the system. Following these steps laid out in the paper will

ensure that a minimal amount of risk is introduced to the cell phones of The Gaming Company.
 Jessica Romio
CSOL 530

References

Brian, M., Tyson, J., & Layton, J. (2000, November 14). How Cell Phones Work. Retrieved July 13,

2019, from https://electronics.howstuffworks.com/cell-phone.htm

CIA Triad. (2018, February 7). Retrieved July 7, 2019, from

https://resources.infosecinstitute.com/cia-triad/#gref

Draft NIST Special Publication 800-53 Revision 5 Security and Privacy Controls for Information

Systems and Organizations. (2017, August). Retrieved July 21, 2019, from

https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-

draft.pdf

FIPS PUB 199 Standards for Security Categorization of Federal Information and Information

Systems. (2004, February). Retrieved July 13, 2019, from

https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Gilani, S. (2016, November 6). Mobile Phone Security: All You Need to Know. Retrieved July 29,

2019, from https://www.technewsworld.com/story/85661.html

NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and

Information System View. (2011, March). Retrieved July 7, 2019, from

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

Souppaya, M., & Scarfone, K. (2013, June). NIST Special Publication 800-124 Revision 1

Guidelines for Managing the Security of Mobile Devices in the Enterprise. Retrieved July 13,

2019, from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf