Chapter 9 - Cyber Security processes Flashcards
Cybersecurity risk governance structure:
- Org’s should have formal, codified policy statement outlining cybersecurity aims which should be overseen by board
Considerations for cybersecurity policy:
- Hiring + developing qualified personnel to manage cybersecurity risks effectively (chief financial officer)
- Connection between cybersecurity and org’s integrity and values
- Board to oversee cybersecurity risks – via dedicated committee, CIO or included in terms of audit committee
- Monitoring + reporting of performance by board to ensure policy is successful
- Consider org’s tolerance to cyber-risks and connections between cybersecurity and other risks
Developing a cybersecurity policy:
Involves normal risk management procedures – identification, quantification, prioritisation of risks, costing, selection and implementation of counter measures and drawing up contingency plans
Risks management for vendors and business partners:
- Involves identify, assess, respond and view risk from three different perspectives
Strategic perspective of managing risks from vendors and business partners:
Cybersecurity risk procedures should identify macro-level risks from third parties:
- National attack – treats that affect org’s across one or more countries
- Zero-day threats
- Major disruptions to operations
Operational perspective of managing risks from vendors and business partners:
- Identifying the current and future cybersecurity risks to core services provided by third parties
- This includes risks from suppliers that handle data processing
- Need to review technical and admin threats to network security and insider threats from malicious staff
- Due diligence for third parties before appointment and ongoing monitoring through SLA
Financial perspective of managing risks from vendors and business partners:
- Focus on relevant risks and quantified costs from individual threats
- By quantifying risks, the org will prioritise resources and set targets for suitable risk responses to improve security posture
CIMA strategies to avoid being hacked:
- Reconnaissance:
* Being aware of how you appear to outsiders
* If you look vulnerable – why is this and what can you do about it? - Simulation:
* Assume that you will be hacked at some point
* What should you do to prepare yourself? - Digital identity:
* Find ways to identify everyone and everything that interacts with you digitally to prepare
What is the Internet of things?
* Internet of things = network connecting objects in the physical world to the internet Examples: * Smart TV’s * Fitness trackers * Utilities meters * Kitchen appliances
Risks of internet of things:
- Allows org’s to manipulate users by analysing their behaviour and using them for commercial purposes
- When updating or registering device IoT created cybersecurity threats such as malware and data loss or access to devices remotely
How should org’s communicate cybersecurity policies?
- Communicated via a formal policy statement that is straightforward to understand and for both internal and external stakeholders
- Cybersecurity training should also be part of policy commitment to improve and for it to be delivered appropriately
- Org’s may commission formal mandatory training to ensure that digital resilience are raised across all relevant services involved in info and data management
BPP’s cybersecurity risk management program:
- Information security management system:
* High level risk management framework, policies and procedures - Business continuity planning:
* Disaster planning - Physical + environmental security:
* Aim to address risks from social engineering - Starters, leavers and movers process:
* Getting staff set up to use system, adapting access for staff moving to new department or role and stopping access when people leave - Supplier management:
* Risk based – third-party IT service supplier should be prioritised above stationary supplier as they pose greater risk - Asset management:
* Recovering assets from leavers, allowing access only to those who need it and protecting valuable assets - Information governance:
* Ensure people know which info is confidential, what is publicly available and what is internal only - Training and awareness:
* Making all employees aware of importance of programme and their responsibilities in maintaining it
Protection against malware:
- Anti-virus software
- Personnel policies = staffs IT training + disciplinary procedures against staff who use unauthorised software
- Protect external email links by virus checking all messages and preventing files of a certain type being sent via email
What is legacy systems?
Systems that have grown organically over time rather than being specifically designed
What is a patch?
Software update that addresses know vulnerabilities (bug fix)
Patch management:
- Patch management can be used as a preventative control (vulnerability is spotted before any damage) and as a detective control (in response to cybersecurity breach)
- Patches need to be applied as they are required to reduce risk that vulnerabilities will be exploited
- Given the cost and expertise required as well as complexity of legacy systems, this is an area that the org cannot afford to ignore
What does encryption involve?
- Encryption = scrambling data at one end of a communication channel, transmitting the scrambled data and unscrambling it at receiver’s end
- Aims to ensure security of data during transmission
- To read an encrypted file, you require access to security key or password to decrypt it
- Unencrypted data = plain text, encrypted data = cipher text
- Only secure way to prevent eavesdropping
Encryption techniques:
- Digital signature:
* Encryption by means of private keys ensuring sender is who they claim to be and providing evidence - Digital envelope:
* Sending key used to encrypt the message separately form encrypted message - Authentication:
* Making sure message has come from an authorised sender
* Involves adding an extra field to a record which contents are derived from the remainder of the record to which an algorithm is applied - Dial-back security:
* Requires person to dial into network and identify themselves
* The system then dial the person back before allowing access
Firewalls:
- Firewall = protect part of the communications technology to prevent unwelcome access into computer system
- Allow public access to some parts of computer systems, while denying access to other parts
- Access to rest of system is controlled by passwords
- Skilled hack may be able to bypass these precautions
Email policies:
- Sending of confidential info to external sources should be prohibited or sent through encrypted or password protected
- Employees should not delete sensitive emails and should keep hard copies
- Legal disputes should not be discussed over email
- Attachments and emails should be checked for viruses
- Security software should be used to analyse attachments – electronic limits can also be placed on types of attachments
Logical access systems prevents access by measures such as:
- identification of user
- authentication of user identity
- checks on user authority
Passwords:
- Systems does not allow access, terminal may lock and the attempted unauthorised access should be recorded
- Keeping track of failed attempts can alert managers to repeated efforts to break into the system
Back-up controls:
- Ensure that most recent useable copy of data can be recovered and restored in event of deliberate or accidental loss or corruption
- Forms part of contingency controls and should also be part of day-to-day procedures
- Back-ups should be stores in separate secure location
Disaster planning:
- Information contingency planning involves response protocols that consider various risk eventualities that org may be asked to cope with and how they should respond to them
- Protocols are often practiced via simulations to ensure staff are adequately trained and that protocols are fit for purpose
Key elements to address disaster risks:
- Responsibility schedule:
* Someone needs to be in charge, take control and delegate tasks in such a situation - Priorities:
* Resources need to be prioritised as to what gets addressed first and what can be left for later - Back-up procedures:
* Ongoing and as part of normal risk management – should have familiarity with how to access and install back-ups - Business continuity arrangements:
* Protocols would be required for replacing premises and systems with minimal disruption to normal operational service - Communication protocols:
* Systems of communication should be available in the event of a disaster – between individuals but also to public - Risk assessment:
* Should be opportunity to assess how serious disaster is in order to allow most appropriate responses
Information systems controls:
- General controls:
* Encompass software + hardware – personnel controls, passwords and access controls - Application controls:
* Input controls – use of batches, data entry protocols
* Processing controls – reconciliations and control totals
* Output controls – exception reports, audit trails - Software controls:
* Control use of unauthorised software – counterfeit software
* Controls include buying from reputable supplier and inspections to ensure such programmes are not used - Network controls:
* Protect information systems from network risks – virus protection, data encryptions, firewalls
* Controls have to be practical – access needs to be granted, but associated risks also needs to be controlled
Levels of integrity:
- IS controls needs to ensure that systems maintain suitable levels of integrity
- Data integrity:
* Preserved when systems data is same as found is source documents and has not been accidentally or intentionally altered, destroyed or disclosed - Systems integrity:
* Operation of systems conforming to intended design specification, despite attempts to make it behave incorrectly
Measures to control personnel risk:
- Careful recruitment – taking up of references
- Job rotation
- Supervisions and observation by superior
- Review of computer usage
- Enforced vacations to ensure no one person has overall control of cybersecurity related matters
- Termination procedures restricting access to sensitive data when employees leave the org
Personnel cybersecurity planning - Division of responsibilities in data processing department:
- Work is divided between systems analysts, programmers and operational staff
- Operations jobs are divided between data control, data preparation and computer room operations
- To assign responsibility for certain tasks to specific jobs and individuals and to prevent deliberate error
Personnel cybersecurity planning - end-user computing:
- Segregation of duties might not always be possible and therefore the same person who operated the computer also inputs data and may even write their own programmes
- It is important t ensure that data being processes is not such as to have a bearing on the assets of the business – person operating the computer and inputting data should not write programme or design system
- Suitable internal audit checks of systems should be done
Personnel cybersecurity planning - computer support department:
- User and software support
- Change and configuration management
- Back-ups, documentation and maintenance
- Controls should enhance cybersecurity
ISO 27001 – 6 step process for best practice of cybersecurity and cybersecurity responses:
- Agree methodology across org to ensure consistency in responding to data security
- Carry out assessment of all potential data risks across org
- Record of the treatment of risks – TARA approach
- Produce report covering all results for accreditation purposes
- Produce a statement of applicability to be reviewed by accredited ISO auditor
- Compile Risk treatment plan – implementation plan for what need to be done, who does it, how and when
Other cybersecurity monitoring systems:
- Board may monitor cybersecurity either directly or via relevant committees depending on decisions regarding cybersecurity risk management governance
- Board should receive communication about cybersecurity events, threats and vulnerabilities both on regular basis and ad hoc
- Internal audit may be involved in compiling reports which focus on cybersecurity events, threats or vulnerabilities
Corrective actions against events, threats and vulnerabilities:
- If monitoring identifies errors – respond either by updating the software or using temporary fix (patch)
- If monitoring identifies actual or potential security breach – responses should be swift and appropriate and in line with cybersecurity policy
- Given dynamic nature of cybersecurity threats, clarity of diagnosis and swiftness of action should be core parts of response
Outputs from cybersecurity monitoring systems:
- Regulators may need to be informed
- Identification of staff responsible for deliberate attacks could lead to either specific actions against staff or more general changes to HR policies
- Weaknesses in systems could lead to changes in way in which system operates
- Consistent trends in cybersecurity events may lead to budget allocations changing
- Training needs may be identified as result of consistent threats due to poor user awareness or education
- Policy changes as result of analysing cybersecurity events
- Analysis of audit trails could also indicate root cause that needs to be addressed