Information Security & Awareness Midterm

information security governance (ISG)

set of practices in organization that align security strategies with business objectives to ensure objectives are achieved, verify that resources are used responsibly, and define responsibility and accountability so that the organization can achieve an acceptable level of risk

threat agent

source that has the potential of causing a threat

threat

those who would seek to misuse or abuse it

__________, a critical part of an organization's culture, is critical for effective information security governance.

tone at the top

Which of the following is a flaw, loophole, oversight, or error that makes an organization susceptible to attack or damage?

vulnerability

Acme Corp. is conducting a business impact analysis for the threat of ransomware impacting its organization. The company determines that there is a 1 percent risk of a significant ransomware attack in any given year. Overall annual revenue for the company is valued at $10,000,000 and estimates are that a large ransomware attack would cause approximately $1,000,000 in damage. What is the single loss expectancy (SLE) in this scenario?

$1 millon

Components of Reactive Policies:

-New Threat/Attack -New Policy/Defense -Threat Analysis

top four cybersecurity frameworks

-PCI DSS: 47% -ISO 27001/27002: 35% -CIS Critical Security Controls: 32% -NIST Framework for Improving Critical Infrastructure Security: 29%

ten domains for cybersecurity capability maturity model

-Risk Management: RM -Asset, Change, and Configuration Management: ACM -Identity and Access Management: IAM -Threat and Vulnerability Management: TVM -Situational Awareness: SA -Information Sharing and Communications: ISC -Event and Incident Response, Continuity of Operations: IR -Supply Chain and External Dependencies Management: EDM -Workforce Management: WM -Cybersecurity Program Management: CPM

gray area: PII or Non-PII?

-anomyzed data that is de-anomyzed (IP address linked to domain name that identifies person) -non-PII that, when linked with other data, can effectively identify person - persistent identifiers (geolocation data; site history and viewing patterns)

four responses to risk

-avoid: ending activites that place enterprise within reach of associated threat -mitigate: changing affected business processes or implementing new controls -transfer/share: outsourcing process or insuring against potential cost -accept; acknowledging it and moving on without further action

impact on security policy

-can't write level 4 policies and standards if you are level 2 organization (unless you are writing for future) -can't write level 2 policies and standards if you need to be level 4 organization (and expect to get there quickly) -can't write level 2 policies and standards if you are level 3 organization

risk

-combination of probability (or frequency) of event and its consequences (or magnitude) -possibility of loss or injury...potential of gaining or losing something of value

maturity model involves five aspects:

-commitment to perform -ability to perform -activities performed -measurement and analysis -verifying implementation

procedures

-consist of step-by-step instructions to assist workers in implementing various policies, standards, and guidelines -specific step-by-step instructions to properly operate control or execute process -could be written instruction on how to configure auditing on server, run vulnerability scanner, or implement firewall rule

why is privacy important?

-data is corporate asset -corporate data is at higher risk of theft or misuse than ever before -companies have obligations to protect data

effective policy should:

-define information as company asset -underscore importance of information as asset -set rules of behavior in handling information asset -describe how to report suspected policy violation -articulate consequences of policy violations -authorize investigation of policy violations

key elements of ISG

-defined organizational alignment and structure (where does security live and why; what is the purpose of your security organization) -policies and procedures -awareness and training -technical security controls and countermeasures -auditing, monitoring, and metrics

standards

-describes implementation and management of information security controls -provides information security control to meet required specifications, including those for meeting specific industries or regulatory compliance objectives

IT risk management

-developing collection of IT risk scenarios -reduces risks by defining and controlling threats and vulnerabilities

quantitative

-does more complex calculations -mathematical and statistical calculations -uses independently verifiable and objective metrics -allows cost/benefit analysis -easier to automate -used in risk management performance tracking -without automated tools, process is very difficult -more preliminary work is needed to gather detailed information about environment

attributes of good policies:

-endorsed: policy has support of management -relevant: policy is applicable to organization -realistic: policy makes sense -attainable: policy can be successfully implemented -adaptable: policy can accommodate change -enforceable: that administrative, physical, or technical controls can be put in place to support policy -inclusive: policy scope includes all relevant parties, areas, and technologies

benefits of effective IS governance

-ensure security of assets (information and technology) -provide framework for security (codifies the desired security level; ability to measure current security posture; helps keep practices up to date) -communicate cybersecurity requirements with stakeholders (assists in prioritizing improvement activities; enables investment decisions to address gaps) -provides mechanism to assess risk

four main objectives to risk governance:

-establish and maintain common risk view -integrate risk management into enterprise -make risk-aware business decisions -ensure that risk management controls are implemented and operating correctly

strategic metrics

-every policy should be measurable -every statement should have defined metrics that signal when it is being followed/executed well and when it is not

purpose of risk analysis

-identify threats to business processes and information systems -justify implementation of specific countermeasures to mitigate risk

planning an intentional methodology for constructing security program:

-identifying our important assets -identifying potential threats against them -assessing vulnerabilities that we have present -taking steps to mitigate these risks

security governance framework

-information security risk management methodology -comprehensive security strategy explicitly linked with business and IT objectives -effective security organizational structure -security strategy that talks about the value of information protected -security policies that address each aspect of strategy, control and regulation -complete set of security standards for each policy to ensure that procedures and guidelines comply with policy -institutionalized monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk -process to ensure continued evaluation and update of security policies, standards, procedures and risks

mitigating risk

-inherent risk represents amount of risk that exists before mitigation -residual risk is amount of risk that remains after controls (countermeasures) are implemented -Total Risk - Countermeasures = Residual Risk

5 maturity levels

-initial -managed -defined -quantitatively managed -optimizing

why focus on risk

-management of organizational risk is key element in organization's information security program -provides effective framework for selecting appropriate security controls for system (security controls necessary to protect individuals and operations and assets of organization)

governance application to information security (three dimensions)

-organizational culture -business process structure -business operations

two types of information

-personally identifiable information (PII) can be linked to specific individual (name, email, full postal address, birth date, SSN, driver's license number, account numbers) -non-personally identifiable information (non-PII) cannot, by itself, be used to identify specific individual (aggregate data, zip code, area code, city, state, gender, age)

intro to policy framework (bottom up pyramid)

-policy (sets high-level expectations) -control objective (identifies desired conditions to be met) -standard (assigns quantifiable requirements) -procedure (establishes proper steps to take) -guideline (provides additional, recommended guidance)

information security policy is directive that defines how organization is going to:

-protect organization, its employees, its customers, and vendors from harm resulting from intentional or accidental damage, misuse, or disclosure of information -protect integrity of information and ensure availability of information systems -ensure compliance with legal and regulatory requirements

structuring the organization

-protect, shield, defend, and prevent -monitor, hunt, detect, -respond, recover, sustain -management, governance, compliance, education, risk management

qualitative

-requires no calculations -involves higher degree of estimating -provides generalities and indications of risk -does not allow cost/benefit analysis -based on opinions of individuals -eliminates opportunity to create dollar value for cost/benefit analysis -hard to develop security budget from results

potential contents of policy

-scope: should address all information, systems, facilities, programs, data, networks and all users of technology in organization, without exception -information classification: should provide content-specific definitions rather than generic confidential or restricted -management goals: place of policy in context of other management directives and supplementary documents (is agreed by all at executive level, all other information handling documents must be consistent with it) -supporting documents: include references to supporting documents (roles and responsibilities, process, technology standards, procedures, guidelines) -specific instructions: include instruction on well-established organization-wide security mandates -responsibilities: outline specific designation of well-established responsibilities (technology department is sole provider of telecommunications lines) -consequences: include consequences for non-compliance (up to and including dismissal or termination of contract)

purpose of cybersecurity policy

-to clearly and unambiguously express goals and objectives as well as boundaries for security management and security solutions -to define role and scope of cybersecurity within general information security

why do we need policy?

-to influence and guide present and future decision making -define acceptable use of enterprise assets -ensure consistency in protection efforts across enterprise -Cover Your Assets (legal, ethical, compliance) -should be at center of risk assessment/management, security planning, auditing, and compliance processes

applying ISG as security professional

-understand organization's goals -identify risk within those goals (quantify/qualify those risks) -understand your current cybersecurity capabilities (what do you do well, where are your gaps) -communicate security and risk to internal stakeholders in terms they understand -help them make decisions about how to treat risks in appropriate manenr -understand company culture and match security culture to company culture

What is at risk?

Ability to offer, fulfill your "Brand Commitment"

When faced with a risk, there are generally four possible responses for addressing that risk. The four choices are Avoid, Mitigate, Transfer, or ________.

Accept

calculating risk

Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

The three primary concepts in information security are Confidentiality, Integrity, and ___________.

Availability

What is at risk?

Business continuity and resilience

ISG tasks maintain ___ and ___ across all information systems, employees, and resources in the organization

CIA and PSR

What is at risk?

Competitive advantage; market and investor confidence

Traditional Security Focus (CIA)

Confidentiality, Integrity, Availability

What is at risk?

Customer retention and growth

how much security is enough

Determine: -adversary (means, motives, and opportunity) -asset value -threats -vulnerabilities -resulting risk -countermeasures -risk appetite

What is at risk?

Ethics and duty of care

(T/F) Risk Management is the practice of passing on the risk in question to another entity, such as an insurance company.

False

Five possible motivations for threat actors (i.e., hackers, attackers) who target companies from an information security perspective are wrath, ideology, opportunity, glory and __________.

Gain

Which one of the motivations from the previous question is behind most of the breaches in the last year?

Gain

Related to the concept of risk governance, one of the four objectives of risk governance is:

Integrate risk management into the enterprise.

Impact of digital, social and convergence of IoT (PSR)

Privacy, Safety, Reliability

What is at risk?

Relationships with business partners

R = L * I (qualitative definition)

Risk = (Likelihood/probability of incident occurring) * Impact of Incident

A formal security strategy is implemented in part by developing and deploying comprehensive ________________ that reflect the objectives of the organization and address each element of the strategy.

Security policies

IT risk

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.

(T/F) Two social/technical/business trends that have led to the importance of Privacy, Safety and Reliability in the information security domain are the Internet of Things and digital business enablement.

True

(T/F) Information security is defined as "protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction," according to US law.

TrueThe three primary concepts in information security are Confidentiality, Integrity, and ___________.

What is at risk?

Trust - Reputation, brand, image

Five things why people do bad things

Wrath, Gain, Glory, Ideology, Opportunity

attack

action intending harm by exploiting vulnerability

countermeasures and safeguards

action or control that mitigates potential risk

risk governance

actions, processes, traditions and institutions by which authority is exercised and decisions are taken and implemented; applies principles of identification, assessment, management and communication of risks

risk appetite

amount of risk that enterprise prefers to accept as it pursues its objectives

threat

any potential danger to information or an information system

strong security culture

both mindset and mode of operation; integrated into day-to-day thinking, business processes and decision making

what's the potential harm?

breaches of data privacy, data security can result in: -damage to reputation -disruption of operations -legal liability under new and amended laws, regulations, and guidelines, as well as under contracts -financial costs

A hacker gains access to a web server and reads the credit card numbers stored on that server. Which security principle is violated?

confidentiality

IT risk scenario

description of IT-related event that can lead to loss event that has business impact, when and if it should occur

quantitative risk analysis

determine asset value > calculate exposure factor > calculate SLE > assess annualized rate of occurrence > determine annualized loss expectancy

risk management

discipline for governing possibility that future events may cause harm; reduces risks by defining and controlling threats and vulnerabilities

policy

document that records high-level principle or course of action that has been decided on

One of the chief reasons to develop a formal information security program is to __________________________.

ensure the security of information assets.

why is writing policy hard

every company's risk appetite, culture, business processes, legal requirements, customer expectations, leadership, structure, control structure and technology is different

risk tolerance

extent that actual risk can be permitted to deviate from (exceed) risk appetite

vulnerability

information system weakness that could be exploited

risk

likelihood of unwanted event occurring

governance

mechanisms, processes, rights, responsibilities, policies, decision making, and objective setting that determine how an entity is controlled and directed

__________ are risks that are associated with the day-to-day operation of the business and its operational and administrative processes.

operational risk

asset

our information/data, and the systems that hold it

residual risk

portion of risk that remains

information technology risk

possibility of loss or injury related to use of computers to store, retrieve, transmit, and manipulate data, or information, often in context of business or other enterprise

security risk

potential that an asset will be compromised and thereby cause harm to an organization, customers, employees, the public

Security Risk Analysis

process of identifying assets, identifying and assessing vulnerabilities, and determining threats

risk analysis

process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact

cyber security

protecting our assets from threats to the best extent we reasonably can, given our environment and tolerance for risk

asset

resource (physical or logical) that is valued by organization

risk formula

risk = asset (value) + threat + vulnerability

Effective governance starts with defining the enterprise _________, the amount of risk that the enterprise prefers to accept as it pursues its objectives.

risk appetite

The primary vehicle of tracking risks and the remediation of them is _______

risk register

Your company recently purchased a cybersecurity insurance policy that will cover your organization's expenses in the event of a data breach. What risk management strategy is your company pursuing?

risk tolerance

maturity model

set of characteristics, attributes, indicators, or patterns that represent capability and progression in particular discipline