Critical Thinking Exercises

Should all controls be subject to the ongoing check phase?

Yes, however they do not need to be subject at the same frequency. Some controls, such as, policy may need to be reviewed only on an annual basis or even longer. Controls such as patch management and I T Network inventory should be conducted on a more frequent basis such as daily or weekly. Finally, some controls, such as the network intrusion system, should be monitored in as near-real-time as possible.

An organization currently has a website that process is personally identifiable information for a client. A network engineer points out a vulnerability in the website that will cost $125,000 mitigate. Currently, system is operating in the United States, and it would be subject to breach notification laws. What is the best approach to ensure return on investment?

According to the institute the cost per person for breach in 2011 was $194 her an individual. Therefore, for my purely perspective, the cost trade-off eyes at the size of the database. If there are more than 645 individuals then it makes good Financial sense to implement the change. What about the loss conference? What about the consumer backlash? What if these records are held as part of a business contract in the organization's actions May tarnish a business partner? These are additional non-financial chance. Prior to understanding the full exposure and full Return of the requested investment.

An organization has approximately 20,000 works and 5000 around the world a new zero Dave he has been published that affects 90% of the system's including servers. Zero day recently discovered, previously unknown system or software weaknesses. How should the organization go about prioritizing mitigation efforts?

It is highly unlikely an organization would be able to push out a patch to all of systems without severely impacting network resources or possibly crippling production systems if pushed without testing. Therefore, a staged rollout would most likely take place. Additionally, the pap should be tested in testing and staging environments to determine whether any possible side effects occur because of the patch. The categorisation process should identify the most critical and valuable assets to the organization, should be targeted for remediation first, followed by moderate or sensitive operations and, finally, everything else. If the exposure is severe, organization may even shut down or isolate some of its Network until it can free the resources to patch it.

Consider an organization with several different and a decentralized Information Technology infrastructure. Marketing has its own information technology how's does manufacturing and finance. What is the best approach when hiring new employees in any area to ensure they understand their information assurance responsibilities?

Much like policies, organization should have high level expectations and requirements for information assurance. Each component made then have additional requirements for suitability and access to information. The choice to have a decentralized organization is a choice to accept greater complexity and policy and the resulting implementation of solutions. Therefore, the employee may have one agreement for the organization and another for the specific area they are working in. If an employee is transferred or receives additional responsibilities in another component, they will need to sign an additional agreement stating they understand the new security requirements.

A breach has occurred, and according to the organization's website privacy policy and terms of service, your customers agreed to whatever level of security the organization deemed reasonable. Is the organization protected from retaliation from customers or other entities?

Several legal cases in the past several years have shown courts look at information assurance from a due diligence and due care standpoint. Customers have an expectation of protection and privacy from online Realtors and therefore even though they may agree to the terms of service, can determine the organization is not meeting a common " reasonable" industry safeguard.

Your organization has a website used for advertising your products or services around the world. The site is used only for disseminating information about your organization and its mission. What requirements (if any) should be in place regarding confidentiality, integrity, and availability?

Some would say there are no security requirements because " it is just a website." however, they would be mistaken. What happens if the website goes down when a large perspective client is searching for information about your products and services? What happens if an attacker defaces your webpage or changes information about your products or Services pricing and the same perspective plan is reviewing the information? Clearly, there are impacts associated with integrity and availability that must be addressed. How about confidentiality? Well, since the entire purpose of the web presence is to spread information, there isn't one in the specific case. Executives and Senior leadership must be aware that just because something isn't confident doesn't mean it doesn't the organization and therefore require information assurance.

An organization is considering developing an encryption policy in its organization. The penetration tester from the team starts documenting specific products and configurations to put into the policy. Should the policy contain these data?

Typically not. A policy is an overarching governance document developed to reflect senior managements position on a topic. While an encryption standard may include specific products and configurations, a policy would merely mention that the organization will follow the organizational encryption standards. This helps ensure the policies remain enforceable while allowing the agility to change products or configurations if needed.

Within an organization, who is best suited to determine the independent of the certifier?

Well operational Independence should be a minimum requirement of the certifier, the independent should ultimately be decided by the rule that must manage and accept the risk. In most cases, this will be the accreditation official. If your credit Nation official is comfortable with the little separation between the certifier and the system they are reviewing, and the certifier may not need to be independent at all. Organizations must be careful, however, because several Industries and standards require Independence of the certifier.

Recent malware attacks in the storage of computers and devices for ransom. How would an organization handle the situation with information on employee personal bring your own device?

As in the prior example, first priority must be the protection of the organization's information. The organization should have agreements in place that ensure access and control over the personal device. Yes dear norton place the owner of the personal device used to turn the device over for analysis. Once obtained, device should be analyzed by a qualified mobile device forensic expert. If the information has been backed up off the device the most straightforward approach may be to initialize the device and restore the information. If the information has not been archived, organization may need to consider further action. Depending on the value of the information, organization may need to recreate the information or attempt to defeat the encryption. Paying Ransom to decrypt the device may not always result in getting the information back. The organization should learn from this incident and involve to ensure information is replicated or backed up when it is created. Additionally, sufficient controls must be in place to protect these storage locations to ensure they are not subject to encryption malware.

Consider the sensitive information in your organization and its life cycle. Where does the data reside at rest? On hard drives? In the cloud? Where does the data reside in transit? Over the mobile phone network? Over the open internet? Over your network? What protections do you know where in place for each of the mediums you identified sensitive information?

Data at rest is most often referred to data on a hard drive or some form of virtual storage. Data rest should be encrypted if there are any confidentiality or privacy concerns. In the event the drivers lost, stolen, or accessed by someone without authorization, the information will be much harder to read. Additionally, data in transit should be infected. Several protocols and methods exist to ensure data encrypted over "open" communication lines. The most common is SSL over HTTP(the HTTP seen in the URL bar of many browsers when accessing secure sites such as Banking). IPSec vPN solutions offer a nearly always on encryption for untrusted links between points. Users concerned about the Integrity of data may also want to "hash" and "salt" the data. This process uses cooperate to determine a single unique operationally output for a given file or piece of information. Only the exact file or information can produce that output again.

An organization has always kept a decentralized Information Technology infrastructure, which has led to servers under desk, coat closet arbitrarily being turned into wiring closets, and numerous portable hard drives floating around the organization. What could happen if the organization needed to Institute a reduction-in-force because of changing market conditions? What can an organization do to prevent the risk of these changes?

Decentralized it is often controlled at the whim of whoever possesses it. Therefore, if a rumor is started that a layoff is coming some employees may be inclined to start copying organizational information to external hard drives so it can be taken for use at their next job. Worse, employees could start thinking about how to sabotage the organization should they get fired. Any information technology under their control is a possible Target. Without understanding the assets of the organization, controls in place, or how to gracefully remove employees, organization is at risk of data exfiltration in sabotage. To prevent these actions, organization should consider centralizing at least the data managed by the organization with tight controls around the access. The organization may also want to insure any non-disclosure (if any) are enforced during the transaction period. Finally, before making any announcements, the organization may want to consider implementing a data loss prevention tool to help reduce the amount of data lost. The best way to avoid loss is to start with an environment that can withstand a layoff. This means I centralized it infrastructure with tight controls around administrative access and production systems. It also means logging and strong IAAA to ensure accountability for your actions. Finally, employees should be screened prior to hire and be required to sign non-disclosure agreements.

What information does your organization use, and what requirements must be met to ensure the confidentiality, integrity, and availability of the information? What drives these requirements for your organization?

For some information may seem clear, like pii, other information, such as an executive calendar, May not. What requirements does the CEO of a business have for his calendar? Is there an expectation of confidentiality, or could it be made public with no recourse? How about the Integrity of the calendar? Doesn't need to be 100% correct every time, and is it okay if anyone can make changes to it without permission? What about availability? Can it go down a week at a time without notice I have an impact on the organization? This is a simple example of something that may seem trivial(a calendar), but upon further analysis can have a substantial impact on how an organization operates.

An organization has never had a formalized information assurance program. What kind of approach is most likely currently occurring, what are the advantages and disadvantages of the approach?

If the organization has not established a top down information assurance, by default the organization is operating in a bottom-up fashion at best! Well there are few. Of the bottom up approach, lower initial cost, four organizational friction, plus management Bozeman, there are also several disadvantages. The disadvantages include middle visibility into the risk of operations, unknown spending and performance of security functions, possible legal exposure because of non-compliance it activities. The organization should consider implementing an information assurance program with a top-down. Doing so provides an opportunity for greater risk management and visibility while be able to across the organization with tools, techniques, risk management processes.

A member of your team informs you that the organization can purchase insurance for breaches of personally identifiable information (pii) and financial data as credit card information. The insurance will cost less than the information assurance program proposed by the ciso. Would you purchase the insurance at the expense of an information assurance program?

If you would purchase the insurance, it is important to understand the insurance will cover only monetary exposure. Often, this covers only the expenses related to credit monitoring or identity theft mitigation. However, this will never cover the loss of reputation, the damage caused to an individual whose identity has been stolen, or business partners who are now so lead by a breach. Wall cybersecurity or breach Insurance can be an important part of any risk management program, cannot be relied upon to protect your organization in the same manner as an information assurance program can. Additionally, breech insurance providers require a functioning information assurance program before providing coverage.

An eU based organization operating in the United States has knowingly allowed its employees to use personal information technology to process, store, and transmit organizational information. The organization is now being sued in a US court, and all information of the organization is subject to Legal hold. What must be done with the information on employees personal devices?

In most situations, personal device bM edged inner forensic play sound of manner to ensure the information on the device is available for discovery. This may bring up personal information on the device that is not owned by the organization but could be interpreted by the courts or Council to be a valued and relevance to the discovery. Organizations should consider carefully if they should allow organizational information on to employees or nonorganizational devices, they should have the employee understands the device contents may be seized and search should a discovery action deem it necessary.

An organization's website has been collecting the actions of users for several years now. The website was a social media overnight success, the organization never got around to completing a privacy statement for terms of service. The organization has been selling the demographic information to advertisers and Market researchers as part of its Core Business for more than a year now. The organization receives a legal summons related to privacy concerns of the site. What could have been done in to prevent the legal exposure?

In the United States, the terms of service and privacy policy are commonly websites such as social media and other sites that collect personally identifiable information(pii). These agreements explain how an organization will use the information and what, if any, expectation of privacy the end-user has. Well not completely Bulletproof, this document when used properly can substantially reduce the amount of legal exposure because there is not a perception of deception. In other countries, such as the European Union, the data protection directive who drives the requirements for collecting and handling personally identifiable information. Organizations must understand the environments they operate in and the legal jurisdictions they must comply with.

What assets are services do you think your organization considers critical for success? What is your organization's responsibility for those assets or services and how are they currently protected? How do you know an appropriate level of due diligence and due care is being practiced in relation to your organization's use of information systems and data?

Occasionally, reservations Overlook the exposure that may come from lax or negligent information assurance practices. Significant fines may be levied on organizations that do not protect sensitive information such as personally identifiable information or sensitive financial information. As information technology is becoming more ambiguous, material finding an information system is almost certainly going to relate to an internal control failure in a financial or management system. If your organization has not considered an industry specific information framework, why not? Consider the laws, regulations, and agreements that govern the work performed and determine whether Frameworks exist. These Frameworks can provide a starting point for determining the Assurance of your organization's use of Information Technology.

What's in your organization, do you use marking methods to determine sensitive information or information critical to business? If so, what automated means do you have to insure sensitive information is not leaked?

Organizations use their own style of classification and markings. For example, the terms confidential, embargoed, close hold, and limited official use only broccoli mean the same thing in terms of handling the information. It is important that the organisation's understand not only what markings they use internally but also what their business partners may use as well. If both parties are not aware of what each other's markings mean in terms of handling and distribution, one-party may inadvertently leak sensitive information of the other. Organization should ensure they have a clear understanding of their own information assurance requirements and those of their business partners. Automation of data leak prevention is complex. Several systems and vendors exist that provide melody of preventing and detecting data loss and leakage. Most of these systems rely on an extensive training. Human support to be effective.

A CIO has just implemented a new dashboard as part of the organization. As part of the dashboard, the it employees and Senior Management can review the vulnerability status of all IT Network assets. Is this dashboard giving A holistic view of risk for the organization?

Probably not unless the only business or Mission the organization has is to patch will neural systems. Different systems, servers, desktops, and Cloud providers support different data and different missions. Therefore, through the categorization process, some information must be deemed more critical than others. This information and the systems processing, storing, or transmitting this information or of higher impact to the organization and therefore should be protected and prioritized above all others. Additionally, numerous quantities of paper and off Network records may exist. Where is the assessment of security for those assets? And I T Network monitoring dashboard couldn't be green and then a box of personally identifiable information could be lost, and the organization will need to recover. Understanding exactly what automated tools are telling the organization and what they are not is critical to understanding risk.

Why is the planning phase extremely important for an organization?

The planning phase will determine control selection, implementation, an ultimately resource costs. Improper planning can lead to substantial rework, which can increase the cost and delay the schedule of implementing effective security for an organization.

An organization has decided they need a chief security officer to determine the best way to implement the information assurance strategy of the organization. What certifications might determine a strategic information assurance individual?

The (ISC)^2 CISSP and the ISACA CISM are the best certifications to review. Well the certification is no guarantee of success, it is a statement of accomplishment and minimum knowledge acquired by the individual.

An organization chooses to have its CIO be the accreditation official for its information systems. What are the strengths and weaknesses of this approach?

The CIO most likely has the best combination of overarching information technology and organizational strategy; best combination makes the CIO and attractive candidate for the role of the accreditation official. However, the CIO is often not the program, mission, or business owner who will be impacted by an information system security failure. The organization may want to consider who really needs to know that risk of an information system. In addition, ask yourself, are the business or Mission lines of an organization comfortable with the CIO making security funding and risk management decisions on their behalf? While the CIO May initially sound like an appealing choice for an accreditation official, in many organizations the program manager for the head of a business line is being asked to a credit systems since that person will be held accountable for a system failure.

An organization's board of directors has recently experienced a substantial change in leadership. The new members of the board have demand internal audit for internal control in information assurance. What should the president or leader of the organization be prepared to provide to ensure the board is comfortable with the audit results?

The President should understand the organization and the business or mission of the organization and how it relates to information assurance. The audit will most likely focus on internal controls that include regulatory requirements and separation of Duties to prevent fraud. The audit will also cover how well the organization has identified its critical assets, services, vulnerabilities. Organization that has information assurance as part of its corporate culture and operations will experience a difficult audit.

A chief information security officer (ciso) continuously reports issues of risk to Senior Management even though they continue to deny requests or resources to mitigate the risk. The ciso holds a cissp. Why is the ciso continuing to report the risk if the board has not done anything about it in the past?

The ciso has an ethical responsibility. In accordance with the is c squared ethics, he must " insure all stakeholders are well informed on the assignments and advise cautiously when required". Additionally, the ciso is Bound By The Following: " give Pruden advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence."

An organization is thinking about moving its core into structure into the cloud. Makes extremely good Financial sense. Actions must a prudent executive or senior leader take to ensure the financial windfall isn't caused by security shortcomings?

The executive must think about this from several angles. First, spear question about the cost of the secure "pipes" needed to connect an organization to its cloud provider. An organization may have had a Datacenter fast and secure speeds at low cost. Another question, what does ability interests does the present operation provide, and what will the cloud provider bring? If currently the organization has insight into server risk, database risk, and workstation risk, will the cloud provider deliver inside or less? Finally, due diligence must the organization to ensure initial security of the provider and ongoing security? What are the costs associated with performing audits or accepting risk for non-compliance of the cloud provider?

An organization has a clear policy creation mechanism, musicians information assurance team has ensured every specification and requirement is incorporated into the organization's policy. Organization routinely evaluates the policy every 6 months to determine whether updates are needed. A breach just occurred, and the encryption policy needs to be updated to include a new standard; however, the next update window won't happen for 5 months. Additionally, policy review process is cumbersome and time-consuming every Department in the organization must review and approve the policies being created. What could the organization do to help streamline this process?

The obvious answers may seem to be speed up the process and cut through the red tape; over, these are often easier said than done because most of the checks and balances put into place in the policy creation process are there for a reason. The Morant real approach would be to rewrite the policy at a high level, authorize specific information assurance related standards and procedures. Posey could then. Fishman approval of the standards and procedures to the Chief Information Security Officer or the Chief Information officer in doing so, could be rapidly updated in the event is standard or procedure changed without the need of updating the entire organizations policy. Additionally, the officers could be granted Authority through the policy to issue interim policies by memo in the event of an emergency or if urgent action is required. She is to ensure interim policies are updated into the organization's final policy.

An organization has more than a dozen personal Health information breaches in the past year. The organization has a policy in place that stipulates sensitive information is not to be emailed or transmitted outside of the organization. The human resources department has just enabled a new work from home telework policy. However, individuals have complained ever since the start of the telework program because they are unable to take information with them to work on at remote locations. How can the organization address this issue with policies, standards, procedures, and guidelines?

The organization can start with a policy that clearly states Management's expectations to comply with protecting Phi and clearly identify what Phi is. Next, they can develop standards to Picton what technologies are appropriate for processing, storing, transmitting, and protecting Phi. The standards will probably Define mandatory encryption requirements for portable media, data in transit, and strong physical protections for printed data finally, procedures will be created to explain exactly how a person can use the encryption tools and standards indicated in several different manners such as email, portable media, or locking up a box of Phi in the trunk of a vehicle.

An organization operates out of the European Union but wants to use a cloud provider based in the United States to store and process Healthcare information about people living in the European Union. What Laws, regulations, and rules must the organization be aware of?

The organization must first be aware of any EU laws, regulations, and rules related to the proposed activities. Since the organization is somehow connect healthcare, eu Healthcare record and privacy laws should also be considered. Minimally, the eu's data protection directive should be addressed. Finally, because the cloud provider is in the United States, the organization should be aware of the jurisdiction the United States may have over the data and whether federal or even state laws apply to how they are using the cloud in the United States.

An organization's medical information site is tracking individuals and using information about searches and personal information entered to develop individual profiles for marketing. The website does not inform visitors they are being tracked and their information is being collected. Which oecd principle has been violated, and what can the organization do to remedy the situation?

The purpose specification principle has been violated. It states the following:" personal data should be collected for purpose of specified not later than the time of the data collection. Subsequent use is limited to the Fulfillment of the stated purposes or such others as are not incompatible with those purposes and rs specified on each occasion of change of purpose." the organization should explicitly inform each user how their information will be used and give the user an opportunity to opt into the process.

The senior leadership of a large organization has never considered the need for information assurance in the organization's operations. After a series of attacks has tripled similar competitors, senior leadership is now concerned about information assurance. Information Technology staff (both in house and outsourced) assured senior leadership repeatedly that there is nothing to worry about. Are they right?

The senior leaders of the organization should demand an information assurance function be developed and a permanent information assurance program to be established. The information assurance programs primary responsibility will be to enable the mission of the organization while bringing visibility into the wrist the organization is assuming. The information assurance program will be authorized to perform risk assessments against both in house and outsourced IT to provide unbiased risk information to senior leadership in the board of directors if necessary.

An organization is considering placing all its policies, procedures, standards, and guidance in a single handbook so executive management has to sign off only once. What are the advantages and disadvantages to this approach?

The sole advantage is found in only needing the senior leadership approval once for the entire handbook. The issue is that as soon as a single part of the handbook is outdated, the entire handbook is outdated. Keeping a comprehensive handbook updated is also challenging because every version changes the entire context of the book. A better approach is to use a modular approach with tiered approvals. For example, policies are approved only by senior leadership, but they may be approved by relevant experts such as IT standards by the CIO. Guidance could be developed and approved by almost any line manager throughout the organization. If a cohesive and modular naming framework is designed and implemented, this delegated approach of governance can be quite effective.

What laws, regulations, standards does your organization need to comply with?

This is a compass since it depends largely on the country, industry, and, in some cases, the local laws of the organization. For example, media companies have discovered that while they may have started in one country, they are now subject to several different national and international laws because they have allowed people from those countries to join their services. Senior leaders and Executives must ensure their information technology activities are consistent with the requirements of international and local law. Engaging legal counsel early in the process helps ensure compliance.

An executive receives an email from a known call league with an urgent message about the financial state of their organization attached in a PDF. What should the executive do? The executive is unaware of any financial problems with the organization, executive didn't request this information.

This may be a spear phishing email. Opening the attachment or following links in the email may lead the executive to compromise their system. Once compromised, that system can be used to launch further attacks against the organization and business partners. The Prudent approach is to ensure and point protection by making sure that your antivirus, anti-malware an operating system patches are up-to-date. The organization should use security awareness training that includes content to fishing and spearfishing. Next, the executive should ensure they are logged into their system only with a limited user account. If the executive constantly uses an administrator account, they are opening themselves up for attack because every action performed, including opening the email, is performed at the administrator level of access, which can modify the system. Finally, the executive should call the party with a known good phone number to ensure they did send this information. If they did not, executive may want to contact local law enforcement and determine whether they can assist in determining who is targeting the organization. The willingness and ability of law enforcement varies greatly by country and District. In almost all cases, the cost of determining who wants the attack greatly exceeds the costs associated with preventing successful spearfishing.