Organization Name: Purpose: Insomniac Games is an American Game Development Company and was founded by Ted Price in 1994. It was originally named “Xtreme Software” but was renamed within only a year due to copyright issues. Their current name was picked from several brainstorm ideas such as “Ragnarok” and “Ice Nine”. It is a privately owned company with about 275,000+ employees and their headquarters reside in Burbank, California, and have been operating for about 24 years. This firm is part of the computer and video game industry, and has created some well known console games such as 2018 “Spider-Man” along with several early Playstation game titles such as “Ratchet and Clank”, “Spyro the Dragon”, and the “Resistance” series. Their mission is simple and that is to provide the best video games out there. The founder, Ted Price, knew that he wanted to be in the video game industry since he was nine years old and with the help of Universal Studies, he was able to make his dream come true. This company has gone through many ups and downs, but despite their setbacks, they managed to keep their independence. The company found that being controlled by another company would be very frustrating even to the point when working with Sony, the people Insomniac Games made sure that they held complete control. This company have received numerous awards including “Best Small & Medium Companies to work for in America” in 2005, 2006, and 2007 and having their game “Marvel's Spider-Man” nominated for “Most Anticipated Game during the 2017 Game Awards. Employees: There are 275,000+ employees in total between their headquarters in Burbank, California and another branch of their company in Durham, North Carolina.The main headquarters property is around 10,000 square feet which serves as an administration and development facility. It includes two development offices, a design facility, a couple of conference room, a computer/server center, a cafeteria, and a welcome area. The departments are also separated by floor (IT on one floor, HR and Sales on another, etc…) The employees in this company are well taken care of since the company has won many awards in this area such as “California’s Best Places to Work” in 2008, ranked 69 in “Best Workplaces for Millennials” in 2017, and ranked 6 in “Best Small and Medium Workplaces in Southern California 2017” . These awards are well deserved as some of the company perks include a fully stocked complimentary kitchen, discounted gaming events, onsite fitness facilities, a full in-house masseuse, chiropractor, acupuncturist, and good healthcare and benefits including coverage for dental and vision expenses. Another interesting fact about their employees is that they are rewarded for their loyalty by using a Seniority Award Program and a Loyalty Bonus Plan which help employees stay true to the company goals and expectations. The types of employees this company has include ● Senior Production Manager ● Associate DevOps Engineer ● Game Writers ● Game Designers ● Various Visual and Audio Artists ● QA Testers ● Game/Computer Programmers ● Researchers ● HR Generalists ● Chief Technology Officer (CTO) ● Chief People Officer (CPO) ● Chief Financial Officer (CFO) ● Chief Executive Officer (CEO) ● Chief Information Officer (CIO) ● Internal communicators ● IT Staff They have more programmers, artists and designers than any other position in the company since they are a gaming company. From research, there may be a lack of security professionals in the company and there may be no Chief Information Officer. Departments: IT Sales HR Management Production Graphical Design Audio Design Finance Merchandising Development Security Internal Affairs Assets: 1. Commercial Buildings: Office Buildings and Design Studios. 2. Financial services: Money Management, Accounting, Insurance, Investment Funds, Payroll 3. Computer Assets: Computers and Laptops, Computer Hardware, Printers, Software Programs, Patents, Monitors, Tablets, Mice, Keyboards 4. IT Assets: Any company-owned information 5. Network Software and Hardware: Networking products (communication boards, Modems, Network security, Routers LAN, WAN), Software( Backup/Archive/Storage, Business, Database, Business Intelligence,Management, OS,Security, visual, utility software) 6. Mail Servers: Mail Transfer Agent, Mail Router, sends and receives mail from local and remote users . 7. Database Servers: Servers that house database applications that provides services to other computer programs or computers through the client server model. 8. Web Servers: Program or electronic device that uses HTTP to serve files to form Web pages to users, by responding to requests by users State Street: General 9. Application Software Licenses: Workstation Licenses, Proprietary Licenses, End User Agreements 10. Employees: A person employed for wages or a salary 11. System Admin: A person who is responsible for the upkeep, Configuration, and Operation of the Computer Systems 12. Proprietary Property: Something owned or a brand protected by intellectual property rights Threat/Attacks: Sabotage/Vandalism: Hacktivist, Destruction of Property, DOS, Arson Technical Software Failures: Buffer overruns, Cross site scripting, Command injection Forces of Nature: Fire, Floods, Earthquakes, Lighting, Severe Storms, Snow Software Attacks: Malware, Virus, Worm, Polymorphic threat,Rootkits, Trojans Human Error: Phishing, Pretexting, Spear phishing, Info extortion Espionage: Hackers, Social Engineering Compromises to Intellectual Property: Software Piracy, Provider issues, Blackout IA State and Goals: This is a company that is currently growing IA in place, we understand that the companies’ client information, assets, and services that is provided to them are integral to their business and must be appropriately secured. This can be done by reducing the risk of potential financial, reputational, and operational damage to the company and protect clients from the growing risk of compromise and information breach. The company's solution to security is very narrow and needs a program that involves more information security, rather than a technical security goal that needs to be put in place. INFORMATION SECURITY 1 Report 1 – Risk Management Note: There was a miscommunication and Edwards initial work for the report was combined into what the document is now, there is an attached file submitted with this document where you can see his initial responses alone. 1. Risk Identification Asset Analysis Worksheet Weighted Factor Asset Analysis Worksheet 30 Criteria 3: Impact to Public Image Weighted Score 40 30 Commercial Buildings 0.4 0.5 0.3 41 Financial Services 0.8 0.9 0.6 78 Computer Assets 0.9 0.7 0.9 86 IT Assets 1 1 0.9 97 Network Software and Hardware 1 1 0.7 91 0.4 0.3 0.2 30 1 1 1 100 Web Servers 0.8 0.8 0.9 83 Application Software Licences 0.8 0.7 0.7 73 Employees 0.5 0.7 0.8 67 Information Asset Criterion weight (1-100) Criteria 1: Impact to Revenue Mail Servers Database Servers Written Explanation 1) The criteria you have chosen to use. Criteria 2: Impact to Profitability INFORMATION SECURITY 2 When looking at the information, the group agreed to seeing profitability and revenue as very important components in a business both generally and financially. To proceed and to continue being a fruitful game development company, Insomniac Games must produce adequate income to take care of its expenses both physical and technological wise and be able to make a profit. Likewise, the association should try to enhance its public image by giving its fans, lovers, and employees alike the experience that they are after. 2) The weighting of each criterion. Each criterion has been assigned a weight showing its relative importance. After looking into the company and from what we had in the proposal, it was decided that profitability should rank the highest at 40 in weight while image and revenue each have a weight of 30. In total, it is pretty rounded for the three categories since all three share quite a bit of importance. 3) The value chosen for the impact on the criterion of losing the asset (From Least to greatest) Each asset has been assigned a score of 0.1-1.0 for each critical factor, with 0.1 being the lowest and 1.0 the highest. Below is a list from lowest to highest with their total weighted score to make it easier to see. ● Mail Servers- 30 ● Commercial Buildings- 41 ● Employees- 67 ● Application Software Licenses- 73 ● Financial Services- 78 ● Web Servers-83 ● Computer Assets- 86 ● Network Software and Hardware- 91 ● IT Assets- 97 ● Database Structures- 100 Vulnerability Assessment Worksheet Vulnerability INFORMATION SECURITY 3 Assessment Asset Commercial Buildings IT Assets Threat Possible Vulnerabilities Vandalism Denial of service, Spyware Forces of Nature Fire, floods, earthquakes, severe storms Human error Phishing, pretexting Software attacks Malware Technical Failures Buffer overruns Network Software and Hardware Sabotage Employees Hacktivist, arson Human error Information extortion Natural Hazards Fire, Severe storms, floods Technical Failures Buffer overruns Computer Assets Vandalism Defacement Written Explanation ● Each threat and each vulnerability and why you think they may cause harm to the organization. ○ ○ ○ Vandalism ■ Denial of Service : would hurt availability of the company ■ Spyware: passwords, emails, usernames and more could be stolen ■ Defacement: The organizations image could be harmed Forces of Nature ■ Fire, floods, earthquakes, severe storms : property damage could lead to evacuation, and loss of data in example server farms that were damaged Human error ■ Phishing: companies information could be stolen do to employes lack of knowledge on phishing attacks INFORMATION SECURITY ○ ○ ○ ○ 4 ■ pretexting Software attacks ■ Malware: could hard software, or take control and use software against the organization Technical Failures ■ Buffer overruns: could cause a halt on the server and hurt organizations availability Sabotage ■ Hacktivist: could harm the company in order to gain public gratitude on a policatial topic. ■ Arson: potential to destroy information, harm employees, possible potential to put the organization out of business due to size. Natural Hazards ■ Fire, Severe storms, floods: potential to destroy information, harm employees, possible potential to put the organization out of business due to size. Acts of human error or failure can occur when employees cause an outage if configuration errors are made. In addition to this, deliberate acts of vandalism or sabotage may leave the organization vulnerable to denial of service attacks. All assets and information in the organization are vulnerable to extreme forces of nature unless suitable measures are put in place. Deliberate software attacks can leave the company vulnerable to malware attacks and can even reveal sensitive information while hardware may be subject to defacement. 2. Risk Assessment Ranked Vulnerability Risk Worksheet INFORMATION SECURITY 5 Ranked Vulnerability Risk Worksheet Asset Vulnerability Asset Impact or Relative Value (V) Network Software and Hardware Computer Assets IT Assets 91 86 97 Vulnerabilit y Risk-Rating Likelihood Factor (P * (P) V) Hacktivist 0.5 45.5 Buffer overrun 0.2 18.2 Buffer overrun 0.2 17.2 Defacement 0.3 25.8 Malware 0.5 48.5 Phishing 0.8 58.2 Written Explanation ● The likelihood specified for each vulnerability. Sometimes this can be found in statistical information about threats. In other cases, you will have to make an educated guess at the probability that the vulnerability will be exploited In either case, justify the values that you specify. ○ The first asset, Network Software and Hardware has two vulnerabilities for the first hacktivist, the likelihood specified is 0.4 we chose this due to statistical information found in a Bit9 of 2,000 information technology professionals, 61% of respondents were concerned about their organization becoming the target of a hacktivist attack. More data found in this and other information from online scholarly articles shows that as political prominent global hacktivists grow such as -- Anonymous and LulzSec, the probability is much higher than in previous years. ○ The second vulnerability for the first asset, and also the first for Computer Assets, buffer overrun, the likelihood is specified as 0.2 this is due to statics found in some advanced tests articles of likely threats done in 2011. ○ The second vulnerability for computer assets we chose is defacement, this was specified as a 0.3, this considering there is not much analysis done on the probability of a defacement attack, this was done with an educated guess. Since defacement is simple to do, and not very common we chose a 0.3, which gave us a risk rating factor of 25.8. ○ The third chosen asset , our IT Assets vulnerabilities were specified as malware and phishing. Malware was given a 0.5 this is based off of the fact that newer tools are rapidly ongoing, and threats are increasing due to this. On the other hand Phishing attacks are very common this is well known in industry and so there are many articles on this topic and also many reports of organizations, schools etc. this was more of a well educated guess. INFORMATION SECURITY ○ 3. 6 A survey conducted in 2014 on types of attacks showed that malware infections have been on the increase in recent years and thus cannot be overlooked (Jouini et al., 2014). Buffer overflow can occur inadvertently, while phishing and defacement have a higher likelihood of occurring. Computer systems have also been subject to malicious acts by hacktivists trying to push through their own agendas. Risk Control Cost Benefit Analysis Worksheet Cost Benefit Analysis Asset Asset Value Vulnerability Exposure Single Factor Loss (EF) Expectanc y (SLE) Network Software and Hardware $118,000 Hacktivist 20% $23,600 IT Assets 25% $23,750 18% $18,000 $95,000 Phishing Computer Assets $100,000 Defacement Annualized Rate of Occurrence (ARO) Annualized Control Loss Strategy Expectanc y (ALE) ALE (post) Antivirus and network intrusion 0.25 $5,900 systems $2,500 Regularly change 0.45 $10,687.50 passwords $5,100 Upgrading security 0.25 $4,500 systems $1,700 Annualized Final Cost of CBA Control $430 $2,970 $0 $5,587.5 0 $1,500 $1,300 Written Explanation ● The Exposure Factor for each Asset/Vulnerability pair. This represents the percentage loss that would occur from a given vulnerability being exploited. ○ The organization would incur a 20% loss if hacktivists were to gain access to the systems and exploit them. In addition to this, the company can also suffer a 25% loss if hackers were to successfully gain access to sensitive information regarding the software INFORMATION SECURITY 7 or passwords to the system. Defacement of hardware equipment may also bring about an 18% loss to the company if adequate security measures are not put in place. ● The Annualized Rate of Occurrence for each vulnerability. This may be found through statistical information, or you may need to make an educated guess about how often to expect the vulnerability to be exploited. ○ Attempts by activists to gain illegal access to the information in game development companies occur 0.25 times per year, while phishing attempt occur more frequently at 0.45 times per year. Cases of defacement through vandalism are also few and far apart, with occurring 0.25 times per year. ● The computation of ALE (post). This represents the Annualized Loss Expectancy after the control has been put into place. Since you have not implemented the control, you do not have this data. However, you can estimate it by considering how the Exposure Factor will be reduced by implementing the control. Please explain how you derived the value for ALE (post) for each vulnerability. ○ Once the control strategies have been put in place, the annualized loss expectancy from vulnerabilities activities is bound to reduce. The value of ALE (post) is derived from multiplying the value of ALE (pre) by 50%. Reference Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in information systems. Procedia Computer Science, 32, 489-496. Byron Acohido, and USA TODAY. “Hacktivist Attacks Grow, Get Political.” USA Today. EBSCOhost, uri.idm.oclc.org/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=a9h&AN=J0E021369 519112&site=ehost-live&scope=site. Accessed 18 Oct. 2018. INFORMATION SECURITY 8 JONES, J.; SHASHIDHAR, N. Ransomware Analysis and Defense: WannaCry and the Win32 environment. International Journal of Information Security Science, dez. 2017. v. 6, n. 4, p. 57–69. Disponível em: . Acesso em: 18 out. 2018.
Purchase answer to see full attachment