ISM 5327
Describe some common security policies of an organization.
- Access control policy: how information is accessed. - Incident response policy: How incidents are reported and responded to. - Retention policy: how data can be stored and for how long.
What factors advocate for adoption of a well-drafted hardware life cycle management policy
-A systematic approach. -Better organizational structure. -A centralized hardware information data base. -Help reduce risk by having and using the appropriate tools to track and manage its hardware. -Map hardware for software compliance management and reporting. -automated tools for tasks such as inventory tracking and classification.
What are the typical stages in the life cycle of an application/system? Please describe them.
-Development- Developers build and deploy code in a test environment, and the development team tests the application at the most basic level. -System Integration testing- The new application is tested to ensure that it works with existing applications and systems. -User acceptance testing- The application is tested to ensure that it provides the necessary features for end users. This environment is generally production-like. -Production- The application is now available to users. Any feedback is captured.
What are the steps of an effective Application Portfolio Management (APM) strategy according to Gartner? Please describe each step.
-End-user experience monitoring- Most important step. First step is to capture data on how end to end performance impacts the user and identify any problem. -Runtime application architecture discovery, modeling, and display: The second step is to study the software and hardware components involved in application execution. User-defined transaction profiling- Involves examining user-defined transactions as they move across the paths defined in the previous step to identify the source of the problem. Component deep-dive monitoring in an application context. Analytics- process/evaluate the data generated in the first four steps to help discover meaningful and actionable patterns
Describe the main risks related to End user developed applications (EUDAs).
-Errors- Errors can occur at data entry. -Poor Version and change control- EUDAs can be more difficult to control than traditional IT- developed applications. -Poor documentation- Files that have not been properly documented may be used incorrectly after a change in ownership of the EUDA, or they may just be used improperly in general. Lack of security- -Unsecured files may easily be transferred among users, which introduces the risk of changes to portions of data that should remain constant. -Lack of an audit trail- The ability to audit and control changes to key data is essential both for internal governance and for compliance with external regulation. -Regulatory and compliance violations- The firm is still responsible to adhere to all of the security and privacy regulations. Risk of the unknown- it may be extremely difficult to assess just how many EUDAs exist, how many are used in critical business applications, how they are linked together, and where data is fed into or extracted from other IT applications. - Opportunity costs- Money or employee time may be wasted on developing these applications.
What are the elements in the security framework for EUDAs? Please describe each element.
-Governance- Senior executives must define what constitutes an EUDA. This involves distinguishing EUDAs from IT-developed and supported applications and specifying which types of EUDAs should be placed under management control. -People- Proper management and control of EUDAs requires identifying the key stakeholders in the EUDA management program. -Process- There should be a proper process for assessing the security of an EUDA. The top concern with respect to EUDAs is the potential risks of any given application. -Technology- The organization should perform an assessment to see what sorts of tools and enablers exist or should be acquired to support the development of EUDAs.
What are the major key challenges in developing an effective cybersecurity system?
-Scale and complexity of cyberspace -Nature of threat -Trade-off between user needs and security implementation
List at least ten supporting techniques that can be used to protect sensitive physical information.
1. Closed- Circuit TV (CCTV) 2. Locks 3. Alarms 4. Access Control 5. Vaulting 6. Intelligence Reports 7. First Responder Interfaces 8. Facilities Management Solutions 9. Fire Protection Systems 10. Time Locks
describe at least five potential privacy threats that may occur as information is being disseminated.
1. Disclosure- The release of factual information about a person. Unfavorable news can create reputational damage. 2. Breach of confidentiality- A release of private information that comes from a violation of trust. This could be from a professional relationship, an accountant that releases your tax returns or an attorney that discloses private conversations or documents. 3. Exposure- This is the release of personal content about one's personality or physical appearance meant to embarrass and damage a person's reputation. 4. Blackmail- This is the threat of exposure or disclosure to obtain something of value. 5. Distortion- This is the manipulation of a person's public image through modifying records associated with the individual.
briefly explain six key principles of the General Data Protection Regulation (GDPR).
1. Fair, Lawful, and Transparent Processing- A expansive set of rules and regulations for processing personal data fairly and lawfully. 2. Purpose Limitation- The data collected for one purpose or use should not be used in a new and unrelated purpose. 3. Data Minimization- An organization only collects the data it needs to fulfill it's obligations or its intended purposes. 4. Accuracy- Data collected must be accurate and current. Any inaccurate data should be removed. 5. Data Retention Periods- Data should be kept for the required retention period and removed once that period has been satisfied. 6. Data Security- Measures taken by associated personnel and organization to ensure personal data is protected from accidental or unlawful destruction, accidental loss, alterations, or any unauthorized access.
What are the typical stages of application life cycle management? Please describe each stage.
1. Gather requirements- IT works with the business units to identify the functional and business process requirements for the change or new application. 2. Design- An application development team constructs a preliminary design of the software structure. 3. Build, integrate, test- The application development team then develops and tests all the components and data flows. 4. Implement, deploy- After final approval, the application team proceeds to produce a finished implementation. 5. Operate- the IT staff will monitor the following areas: Addressing changes, fixing any flaws, monitoring service levels. Optimize- Monitor and evaluate application use to determine if there are any opportunities for optimization.
What are the steps that an organization must follow to develop an ideal acquisition system for hardware assets?
1. Request and approval: This includes application of standards, redeployment, and initiation of a purchase, if appropriate. 2. Vendor relationships: This Includes existing contracts and new opportunities. 3. Acquisition: A formal selection process, contract negotiations, and contract execution. 4. Receipt: Triggers payment of invoices and creation of incidents to configure and deliver the correct individual/location/department
Describe at least six topics that an ideal cybersecurity program include
1. Technical points about cybersecurity. 2. Common information and computer system security vulnerabilities 3. Common cyber attack mechanisms. 4. Different types of cryptographic algorithms 5. Intrusion, types of intruders, techniques, and motivation 6. Firewalls and other means of intrusion prevention
What are control gates at the development/acquisition phase? Please describe these control gates.
Architecture/design review: evaluates its integration with other systems and the overall enterprise architecture. Performance review: evaluates whether the system meets the documented expectation of the owner and whether the system behaves in a predictable manner if it is subjected to improper use. Functional test review: A review that ensures that functional requirements are sufficiently detailed and are testable after deployment. Risk Management review: A review of risk management decisions made so far if there have been changes to the system or its security controls. Mid-project status and financial review: A review that determines if there have been changes in the planned level of effort and evaluates the effects on costs and benefits.
What does the term BYOD stand for, and what does it mean? Also, please describe at least five challenges it imposes to an organization security.
Bring your own device (BYOD) is a strategy adopted by an organization that allows employees, business partners, and other users to utilize a personally selected and purchased client device to execute enterprise applications and access company data. Challenges: Data management issues, Data compliance issues, Malicious applications, Lost or stolen devices
Explain roles in a security governing body structure in COBIT 5.
Chief information security officer (CISO) —The CISO carries overall responsibility for the enterprise information security program. · (ISS) committee —This committee ensures constant monitoring and review to ensure that good practices in information security are applied effectively and consistently throughout the enterprise. It acts as a watchdog. · Information security manager (ISM) —The ISM holds overall responsibility for the management of all aspects of information security. · Enterprise risk management (ERM) committee —This is the main decision-making body of the enterprise to assess, control, optimize, finance, and monitor risk from all sources for the purpose of increasing the enterprise's short- and long-term value to its stakeholders. · Information custodians/business owners —They act as intermediaries between the business and information security functions.
Describe the benefits of EUDAs.
Convenience and ease of use: can be developed easily and quickly by non-IT staff. Allow businesses and users to quickly deploy solutions. Powerful tools and technology-aware end users: End-user tools offer rich functionality, including the ability to connect to corporate data sources. Demand for information: The lack of flexibility in traditional reports in IT systems have resulted in an increase in the level of end-user.
Describe the "select-control-evaluate" framework for capital planning.
Defines a process to evaluate what projects are worth pursuing and allocating firm capital towards. Select the project that best meets the firm's needs after a thorough analysis of the risk and return of each option. Control is the next step where there is continued evaluation to ensure the project selected is meeting expected levels of cost and risk. Evaluate is the final step where a comparison is made between the final result and the expected result.
Explain three categories of metrics for evaluating an organization's security governance.
Executive management support —This is the most critical component for the success of any cybersecurity program. Business and information security relationship —There has to be a strong and symbiotic relationship between business goals and objectives and information security in any organization. Information protection —This is concerned with the pervasiveness and strength of information security mechanisms. reflect the degree of awareness of information security issues.
How can a company ensure personnel security? Please describe these principles.
Least privilege —Give each person the minimum access necessary to do his or her job. Separation of duties —Carefully separate duties so that people involved in checking for inappropriate use are not also capable of perpetrating such inappropriate use. Limited reliance on key employees —No one in an organization is irreplaceable.
What are the best practices for managing the System Development Life Cycle (SDLC) according to the International Foundation for Information Technology?
Ownership- Assign accountability for system development management to key individuals, committees, or departments. Inventory: Maintain a central database of all items related to the management of system development. Terminology- Use standard terminology for the various aspects of system development. Data Centralization- Data that are required by or useful for stakeholders involved in system development should be maintained in a central repository. Metrics- There should be an agreed-upon set of performance metrics that can be defined, tracked, and analyzed to assess progress in system development. Transparency- Stakeholders should always strive to make any and all system development management data transparent to all appropriate stakeholders. Standards and best practices- system development should follow industry standards and best practices.
What are the four phases of the DevOps reference architecture?
Plan and measure- The planning process relates business needs to the outcomes of the development process. Develop and test- This activity focuses on collaborative development, continuous integration of the new code, and continuous testing, in a real-world environment. Release and deploy- Provides a continuous delivery pipeline that automates deployment to test and production environments. Monitor and optimize- This activity includes continuous monitoring, customer feedback, and optimization to monitor how applications are performing post release, allowing for any changes needed.
Explain functions that information security management perform.
Responsible for establishing and implementing effective security controls and monitoring all information security programs for the organization to ensure proper adherence.
What are the key security considerations through the SDLC?
Secure concept of operations: define the overall concept and guidelines for secure development and deployment in target environment. Standards and processes- Team should document the standards and best practices that will be followed. Security training for development team- Should determine what necessary security training is needed for key developers to understand the current threats and any potential future exploitation. Quality management- Define a quality management protocol, including planning, assurance, and control. Secure environment- Ensure the development environment meets the organization's security requirements. Secure code practices and repositories- Extra attention on code repositories, with an emphasis on check in/check out functionality.
What are the differences between information security governance and information security management?
Security governance is the system by which an organization directs and controls its overall security, thereby meeting all strategic needs of the organization. Security management is concerned with making decisions to mitigate risks by using the information as input and then applying it in the risk management process.
What are the major activities of the Information Security Forum?
Standard of Good Practice for Information Security (SGP): is a focused reference guide for enterprises to identify and manage information security risks in their operations and supply chains.
What are the major technologies commonly implemented for cybersecurity in large organization?
cryptography, network security protocols, operating system mechanisms, database security schemes, firewall, and antivirus protection.
Explain key security program area.
involves multiple areas of management. Chief Information Security Officer (CISO) and the Information Security Manager (ISM). Areas include security planning, capital planning, awareness and training, information security governance, system development life cycle, security product and service acquisitions, risk management, configuration management, incident response, contingency planning, and performance measures.
Briefly explain the need of an effective information security policy.
is necessary to establish the laws, rules, and practices for how the organization manages, distributes, and protects its assets and how each individual's role and responsibility fit within that policy.
List twenty common cybersecurity threat forms.
malware, virus, worm, ransomware, spam, Trojan horse, trapdoor, exploits, spam programs, flooders, zombies/bots, spyware, adware, DNS attacks, DoS attacks, remote access attacks, phishing, sniffing, website exploit, and password attack.
Explain the acronym RACI from context of information security policy.
responsible, accountable, consulted, and informed.
What are the four factors that determine risk, and how are they related to each other?
· Asset —Anything that can be a given a monetary value is an asset of an organization. · Threat —Any risk that has a potential to damage an asset is a threat. · Vulnerability —Any trapdoor or unintended weak point of a system is as vulnerability. · Control —A control is an action to stop a potential threat from causing damage.
What are the four phases of the cybersecurity learning continuum? Please describe each level.
· Awareness —A set of activities that explains and promotes security, establishes accountability, and informs the workforce of security news. · Cybersecurity essentials —Intended to develop secure practices in the use of IT resources. · Role-based training —Intended to provide knowledge and skills specific to an individual's roles and responsibilities relative to information systems. · Education/certification —Integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and adds a multidisciplinary study of concepts, issues, and principles (technological and social).
List and describe security threats to an Industrial Control Systems (ICS).
· Blocked or delayed flow of information through ICS network. · Unauthorized changes to instructions, commands, or alarm thresholds. · Inaccurate information sent to system operators. · ICS software or config. settings modified, or ICS software infected with malware. · Interference with equipment protection systems. · Interference with the operation of safety systems, which could endanger human life.
six stages of the information security risk management process.
· Context establishment —Set the basic criteria necessary for information security risk management · Risk assessment —identify the risk to analyze it thoroughly and then to evaluate the risk. · Risk treatment —mitigate risk. · Risk acceptance —should be explicitly communicated to managers/decision makers with the caveat that it cannot be reduced further and should be accepted. · Risk communication and consultation — continual and iterative processes an organization follows to provide, share, or obtain information about the risk and to keep updating or taking feedback from the key stakeholders regarding the management of risk. · Risk monitoring and review —continuous monitoring and review of all risk information obtained from the risk management activities.
Regarding risk assessment, what are the different types of assets?
· Hardware assets —This includes physical servers, workstations, laptops, · Software assets —This includes applications, operating systems and other system software, virtual machine. · Information assets —This includes assets directly connected with information or its storage. Business assets —This category includes all other organization assets (such as human capital, business processes, and factory location)
What are the core functions in the NIST cybersecurity framework?
· Identification —This implies development of organizational understanding of management of cybersecurity risk to systems, assets, data, and capabilities. · Protection —This implies development and implementation of appropriate safeguards for ensuring delivery of critical infrastructure services. · Detection —This implies development and implementation of appropriate activities for identification of any occurrence of a cybersecurity event. · Response —This implies development and implementation of appropriate activities for taking action regarding a detected cybersecurity event. · Recovery —This implies development and the appropriation of activities needed for maintenance of plans for resilience and for restoration of capabilities or services impaired due to a cybersecurity event.
What are the major security concerns related to mobile devices according to SP 800-14?
· Lack of physical security controls- Theft and tampering are realistic threats. · Use of untrusted mobile devices- Virtually all employees have personal smartphones or tablets. These devices may not employ encryption. · Use of untrusted networks- Potentially susceptible to eavesdropping or man in the middle type of attacks. · Use of application created by unknown parties- Third party applications on mobile devices. This poses the risk of installing malicious software. · Interaction with other systems- A considerable risk that data will be stored in an unsecured location and there is also risk of malware introduction. · Use of untrusted content- Mobile devices may access and use content that other computing devices do not encounter. Use of location services- The GPS capability on mobile devices can be used to maintain knowledge of the physical location of the device.
What should be the goals for a security awareness program?
· Provide a focused approach for all awareness, training, and educational activities related to information security, with better coordination to make it more effective. · Communicate key recommended guidelines or practices required to secure information resources. · Provide general and specific information about information security risks and controls to people on a need basis. · Make individuals aware of their responsibilities in terms of information security. · Motivate individuals to adopt recommended guidelines or practices by giving incentives (corporate goodies). · Create a stronger culture of security with individual commitment to information security.
Explain key ingredients of a risk analysis worksheet.
· Security issues —This gives a brief statement of the security issue or area of concern as well as a description of compliance issues. · Likelihood —This is estimated likelihood for an occurrence of the linked threat/vulnerability pair. · Impact —This is the estimated impact for the linked threat/vulnerability pair. · Risk level —This is assessed according to the matrix shown in Figure 3.8 of Chapter 3 . · Recommended security controls —These are specific security controls recommended by the team. · Control priorities —These are the relative priorities of the recommended controls. · Comments —This is a relevant note for the security risk management decision-making process linked with this security issue.
Please list and describe the principal elements of an Industrial Control Systems (ICS).
· Sensor: Measures some parameter of a physical, chemical, or biological entity and delivers an electronic signal. · Controller: Interprets the signals and generates corresponding manipulated variables. These have a very limited intelligence and may rely on human-machine interface for direction. · Actuator: Receives an electronic signal from a controller and responds by interacting with its environment to produce an effect on some parameter of a physical , chemical. or biological entity. · Human-machine interface- Operators and engineers use human interfaces to monitor and configure set points, control algorithms, and adjust and establish parameters in the controller. · Remote diagnostics and maintenance- Used to prevent, identify, and recover from abnormal operation or failures.
describe the two possible types of threats in information collection process in today's information scenario.
· Surveillance is the watching, listening to, and/or recording of an individual's activities without their knowledge or consent. This could be seen as problematic and a violation to their right to privacy. · Interrogation, or the pressuring of an individual to disclose information they otherwise would not want to. This is done by force or through other measures that create uncomfortable pressure to divulge sensitive information.
