Chapter 9 - Cyber Security processes

Question 1

Cybersecurity risk governance structure:

Answer 1

• Org’s should have formal, codified policy statement outlining cybersecurity aims which should be overseen by board

Question 2

Considerations for cybersecurity policy:

Answer 2

• Hiring + developing qualified personnel to manage cybersecurity risks effectively (chief financial officer)
• Connection between cybersecurity and org’s integrity and values
• Board to oversee cybersecurity risks – via dedicated committee, CIO or included in terms of audit committee
• Monitoring + reporting of performance by board to ensure policy is successful
• Consider org’s tolerance to cyber-risks and connections between cybersecurity and other risks

Question 3

Developing a cybersecurity policy:

Answer 3

Involves normal risk management procedures – identification, quantification, prioritisation of risks, costing, selection and implementation of counter measures and drawing up contingency plans

Question 4

Risks management for vendors and business partners:

Answer 4

• Involves identify, assess, respond and view risk from three different perspectives

Question 5

Strategic perspective of managing risks from vendors and business partners:

Answer 5

Cybersecurity risk procedures should identify macro-level risks from third parties:

• National attack – treats that affect org’s across one or more countries
• Zero-day threats
• Major disruptions to operations

Question 6

Operational perspective of managing risks from vendors and business partners:

Answer 6

• Identifying the current and future cybersecurity risks to core services provided by third parties
• This includes risks from suppliers that handle data processing
• Need to review technical and admin threats to network security and insider threats from malicious staff
• Due diligence for third parties before appointment and ongoing monitoring through SLA

Question 7

Financial perspective of managing risks from vendors and business partners:

Answer 7

• Focus on relevant risks and quantified costs from individual threats
• By quantifying risks, the org will prioritise resources and set targets for suitable risk responses to improve security posture

Question 8

CIMA strategies to avoid being hacked:

Answer 8

1. Reconnaissance:
   * Being aware of how you appear to outsiders
   * If you look vulnerable – why is this and what can you do about it?
2. Simulation:
   * Assume that you will be hacked at some point
   * What should you do to prepare yourself?
3. Digital identity:
   * Find ways to identify everyone and everything that interacts with you digitally to prepare

Question 9

What is the Internet of things?

Answer 9

* Internet of things = network connecting objects in the physical world to the internet
Examples:	
* Smart TV’s
* Fitness trackers
* Utilities meters
* Kitchen appliances

Question 10

Risks of internet of things:

Answer 10

• Allows org’s to manipulate users by analysing their behaviour and using them for commercial purposes
• When updating or registering device IoT created cybersecurity threats such as malware and data loss or access to devices remotely

Question 11

How should org’s communicate cybersecurity policies?

Answer 11

• Communicated via a formal policy statement that is straightforward to understand and for both internal and external stakeholders
• Cybersecurity training should also be part of policy commitment to improve and for it to be delivered appropriately
• Org’s may commission formal mandatory training to ensure that digital resilience are raised across all relevant services involved in info and data management

Question 12

BPP’s cybersecurity risk management program:

Answer 12

1. Information security management system:
   * High level risk management framework, policies and procedures
2. Business continuity planning:
   * Disaster planning
3. Physical + environmental security:
   * Aim to address risks from social engineering
4. Starters, leavers and movers process:
   * Getting staff set up to use system, adapting access for staff moving to new department or role and stopping access when people leave
5. Supplier management:
   * Risk based – third-party IT service supplier should be prioritised above stationary supplier as they pose greater risk
6. Asset management:
   * Recovering assets from leavers, allowing access only to those who need it and protecting valuable assets
7. Information governance:
   * Ensure people know which info is confidential, what is publicly available and what is internal only
8. Training and awareness:
   * Making all employees aware of importance of programme and their responsibilities in maintaining it

Question 13

Protection against malware:

Answer 13

• Anti-virus software
• Personnel policies = staffs IT training + disciplinary procedures against staff who use unauthorised software
• Protect external email links by virus checking all messages and preventing files of a certain type being sent via email

Question 14

What is legacy systems?

Answer 14

Systems that have grown organically over time rather than being specifically designed

Question 15

What is a patch?

Answer 15

Software update that addresses know vulnerabilities (bug fix)

Question 16

Patch management:

Answer 16

• Patch management can be used as a preventative control (vulnerability is spotted before any damage) and as a detective control (in response to cybersecurity breach)
• Patches need to be applied as they are required to reduce risk that vulnerabilities will be exploited
• Given the cost and expertise required as well as complexity of legacy systems, this is an area that the org cannot afford to ignore

Question 17

What does encryption involve?

Answer 17

• Encryption = scrambling data at one end of a communication channel, transmitting the scrambled data and unscrambling it at receiver’s end
• Aims to ensure security of data during transmission
• To read an encrypted file, you require access to security key or password to decrypt it
• Unencrypted data = plain text, encrypted data = cipher text
• Only secure way to prevent eavesdropping

Question 18

Encryption techniques:

Answer 18

1. Digital signature:
   * Encryption by means of private keys ensuring sender is who they claim to be and providing evidence
2. Digital envelope:
   * Sending key used to encrypt the message separately form encrypted message
3. Authentication:
   * Making sure message has come from an authorised sender
   * Involves adding an extra field to a record which contents are derived from the remainder of the record to which an algorithm is applied
4. Dial-back security:
   * Requires person to dial into network and identify themselves
   * The system then dial the person back before allowing access

Question 19

Firewalls:

Answer 19

• Firewall = protect part of the communications technology to prevent unwelcome access into computer system
• Allow public access to some parts of computer systems, while denying access to other parts
• Access to rest of system is controlled by passwords
• Skilled hack may be able to bypass these precautions

Question 20

Email policies:

Answer 20

• Sending of confidential info to external sources should be prohibited or sent through encrypted or password protected
• Employees should not delete sensitive emails and should keep hard copies
• Legal disputes should not be discussed over email
• Attachments and emails should be checked for viruses
• Security software should be used to analyse attachments – electronic limits can also be placed on types of attachments

Question 21

Logical access systems prevents access by measures such as:

Answer 21

• identification of user
• authentication of user identity
• checks on user authority

Question 22

Passwords:

Answer 22

• Systems does not allow access, terminal may lock and the attempted unauthorised access should be recorded
• Keeping track of failed attempts can alert managers to repeated efforts to break into the system

Question 23

Back-up controls:

Answer 23

• Ensure that most recent useable copy of data can be recovered and restored in event of deliberate or accidental loss or corruption
• Forms part of contingency controls and should also be part of day-to-day procedures
• Back-ups should be stores in separate secure location

Question 24

Disaster planning:

Answer 24

• Information contingency planning involves response protocols that consider various risk eventualities that org may be asked to cope with and how they should respond to them
• Protocols are often practiced via simulations to ensure staff are adequately trained and that protocols are fit for purpose

Question 25

Key elements to address disaster risks:

Answer 25

1. Responsibility schedule:
   * Someone needs to be in charge, take control and delegate tasks in such a situation
2. Priorities:
   * Resources need to be prioritised as to what gets addressed first and what can be left for later
3. Back-up procedures:
   * Ongoing and as part of normal risk management – should have familiarity with how to access and install back-ups
4. Business continuity arrangements:
   * Protocols would be required for replacing premises and systems with minimal disruption to normal operational service
5. Communication protocols:
   * Systems of communication should be available in the event of a disaster – between individuals but also to public
6. Risk assessment:
   * Should be opportunity to assess how serious disaster is in order to allow most appropriate responses

Question 26

Information systems controls:

Answer 26

1. General controls:
   * Encompass software + hardware – personnel controls, passwords and access controls
2. Application controls:
   * Input controls – use of batches, data entry protocols
   * Processing controls – reconciliations and control totals
   * Output controls – exception reports, audit trails
3. Software controls:
   * Control use of unauthorised software – counterfeit software
   * Controls include buying from reputable supplier and inspections to ensure such programmes are not used
4. Network controls:
   * Protect information systems from network risks – virus protection, data encryptions, firewalls
   * Controls have to be practical – access needs to be granted, but associated risks also needs to be controlled

Question 27

Levels of integrity:

Answer 27

• IS controls needs to ensure that systems maintain suitable levels of integrity

1. Data integrity:
   * Preserved when systems data is same as found is source documents and has not been accidentally or intentionally altered, destroyed or disclosed
2. Systems integrity:
   * Operation of systems conforming to intended design specification, despite attempts to make it behave incorrectly

Question 28

Measures to control personnel risk:

Answer 28

• Careful recruitment – taking up of references
• Job rotation
• Supervisions and observation by superior
• Review of computer usage
• Enforced vacations to ensure no one person has overall control of cybersecurity related matters
• Termination procedures restricting access to sensitive data when employees leave the org

Question 29

Personnel cybersecurity planning - Division of responsibilities in data processing department:

Answer 29

• Work is divided between systems analysts, programmers and operational staff
• Operations jobs are divided between data control, data preparation and computer room operations
• To assign responsibility for certain tasks to specific jobs and individuals and to prevent deliberate error

Question 30

Personnel cybersecurity planning - end-user computing:

Answer 30

• Segregation of duties might not always be possible and therefore the same person who operated the computer also inputs data and may even write their own programmes
• It is important t ensure that data being processes is not such as to have a bearing on the assets of the business – person operating the computer and inputting data should not write programme or design system
• Suitable internal audit checks of systems should be done

Question 31

Personnel cybersecurity planning - computer support department:

Answer 31

• User and software support
• Change and configuration management
• Back-ups, documentation and maintenance
• Controls should enhance cybersecurity

Question 32

ISO 27001 – 6 step process for best practice of cybersecurity and cybersecurity responses:

Answer 32

• Agree methodology across org to ensure consistency in responding to data security
• Carry out assessment of all potential data risks across org
• Record of the treatment of risks – TARA approach
• Produce report covering all results for accreditation purposes
• Produce a statement of applicability to be reviewed by accredited ISO auditor
• Compile Risk treatment plan – implementation plan for what need to be done, who does it, how and when

Question 33

Other cybersecurity monitoring systems:

Answer 33

• Board may monitor cybersecurity either directly or via relevant committees depending on decisions regarding cybersecurity risk management governance
• Board should receive communication about cybersecurity events, threats and vulnerabilities both on regular basis and ad hoc
• Internal audit may be involved in compiling reports which focus on cybersecurity events, threats or vulnerabilities

Question 34

Corrective actions against events, threats and vulnerabilities:

Answer 34

• If monitoring identifies errors – respond either by updating the software or using temporary fix (patch)
• If monitoring identifies actual or potential security breach – responses should be swift and appropriate and in line with cybersecurity policy
• Given dynamic nature of cybersecurity threats, clarity of diagnosis and swiftness of action should be core parts of response

Question 35

Outputs from cybersecurity monitoring systems:

Answer 35

• Regulators may need to be informed
• Identification of staff responsible for deliberate attacks could lead to either specific actions against staff or more general changes to HR policies
• Weaknesses in systems could lead to changes in way in which system operates
• Consistent trends in cybersecurity events may lead to budget allocations changing
• Training needs may be identified as result of consistent threats due to poor user awareness or education
• Policy changes as result of analysing cybersecurity events
• Analysis of audit trails could also indicate root cause that needs to be addressed