Chapter 9 Flashcards
What are the categories of cyber risk for organizations?
-Deliberate and unauthorized breaches of security in order to access information systems
-Unintentional or accidental security breaches
-Operational IT risks
Explain behavioural management
-To prevent victim to phishing, spear phishing, or other social engineering scams
-Includes developing policies and awareness training on cyber security, use of personal electronic devices, and social media
Explain systems and technology management
-Individuals and organizations can stay up-to-date with technology and security best practises
-Can address vulnerabilities as they are discovered by software companies
What are the different data protection policies companies should have?
Data classification policy
Data retention policy
Data destruction policy
Clear desk and screen policy
Explain data classification policy
Outlines data labels, and how they are to be applied to documents both digital and physical. Based on each classification, different protections can be applied.
Explain data retention policy
Define the lifespan for different types of business documents
Explain data destruction policy
One that has reached its end of life is important that is disposed of in the secure manner. The following method should be used:
Disintegration
Incineration
Pulverize
Shred
Melt
What are some steps to take when maintaining and updating technology resources?
-Install and maintain antivirus software, firewalls, software patches
-Use anti-spyware tools
-Use technical expertise when required
-Promptly disable access to the network after employees are terminated
What are some steps to take when maintaining vigilance on the network?
-Practice regular diagnostic testing and monitoring
-Analyze operations to identify areas vulnerable to IT risks
-Remove unused software and unused user account
-Conduct reference checks on employees
-Monitor employee online activity
-Deal with disruptive behaviour and threatening comments from internal and external sources
-Implement a forensic response plan at the first sign of attack
-Develop business continuity plan
What are some steps to take when instituting employee protocols?
-Train all employees in security awareness
-Document and implement policies and procedures
-Implemented password system with adequate controls and appropriate standards
-Use caution with email attachments
-Limit access to confidential and sensitive information
-Have users lock their computers when they are away from their desk
-Restrict to whom employees can send “out of office” messages
-Limit or restrict use of wireless hotspot, as well as chat rooms blogs, and instant messaging
-Do not allow downloads
-Prepare user agreement for computers and communications, and require all employees to sign
What are 5 simple ways government of Canada recommends to improve online safety?
- Use strong unique passwords that are different for every site requiring a login
- Keep operating systems up-to-date
- Only connect to Wi-Fi networks are known and trustworthy
- Turn off Bluetooth, camera, and location services
- Don’t download from questionable sources
How can insurance industry stakeholders promote cyber security?
-Offer more coverage to clients who adopt preventable measures
-Offer cyber insurance premiums based on an insured level of self protection
-Provide clients with information resources or other services to promote cyber awareness
-Ensure compliant with privacy laws, such as PIPEDA, digital privacy act, and Canadian anti-spam legislation
Explain security analysis
-Includes risk assessment to identify gaps in a firm cyber security processes and system
-May include helping firm with disaster planning, including business continuity planning or cyber instant response planning, and then validating the response plan so people know how correctly react to a cyber instant
What does cyber security monitoring include
Threat detection
Network and cloud intrusion detection
Firewall infrastructure monitoring
Security log monitoring
Managed detection and response
What are reasons to purchase cyber insurance?
Access pre-breach services
Satisfy regulatory requirements
Cover human error
Combat ransomware attacks
Cover cost resulting from data breaches
Cover business interruption cost
