Chapter 9 - Cyber Security processes Flashcards
Cybersecurity risk governance structure:
- Org’s should have formal, codified policy statement outlining cybersecurity aims which should be overseen by board
Considerations for cybersecurity policy:
- Hiring + developing qualified personnel to manage cybersecurity risks effectively (chief financial officer)
- Connection between cybersecurity and org’s integrity and values
- Board to oversee cybersecurity risks – via dedicated committee, CIO or included in terms of audit committee
- Monitoring + reporting of performance by board to ensure policy is successful
- Consider org’s tolerance to cyber-risks and connections between cybersecurity and other risks
Developing a cybersecurity policy:
Involves normal risk management procedures – identification, quantification, prioritisation of risks, costing, selection and implementation of counter measures and drawing up contingency plans
Risks management for vendors and business partners:
- Involves identify, assess, respond and view risk from three different perspectives
Strategic perspective of managing risks from vendors and business partners:
Cybersecurity risk procedures should identify macro-level risks from third parties:
- National attack – treats that affect org’s across one or more countries
- Zero-day threats
- Major disruptions to operations
Operational perspective of managing risks from vendors and business partners:
- Identifying the current and future cybersecurity risks to core services provided by third parties
- This includes risks from suppliers that handle data processing
- Need to review technical and admin threats to network security and insider threats from malicious staff
- Due diligence for third parties before appointment and ongoing monitoring through SLA
Financial perspective of managing risks from vendors and business partners:
- Focus on relevant risks and quantified costs from individual threats
- By quantifying risks, the org will prioritise resources and set targets for suitable risk responses to improve security posture
CIMA strategies to avoid being hacked:
- Reconnaissance:
* Being aware of how you appear to outsiders
* If you look vulnerable – why is this and what can you do about it? - Simulation:
* Assume that you will be hacked at some point
* What should you do to prepare yourself? - Digital identity:
* Find ways to identify everyone and everything that interacts with you digitally to prepare
What is the Internet of things?
* Internet of things = network connecting objects in the physical world to the internet Examples: * Smart TV’s * Fitness trackers * Utilities meters * Kitchen appliances
Risks of internet of things:
- Allows org’s to manipulate users by analysing their behaviour and using them for commercial purposes
- When updating or registering device IoT created cybersecurity threats such as malware and data loss or access to devices remotely
How should org’s communicate cybersecurity policies?
- Communicated via a formal policy statement that is straightforward to understand and for both internal and external stakeholders
- Cybersecurity training should also be part of policy commitment to improve and for it to be delivered appropriately
- Org’s may commission formal mandatory training to ensure that digital resilience are raised across all relevant services involved in info and data management
BPP’s cybersecurity risk management program:
- Information security management system:
* High level risk management framework, policies and procedures - Business continuity planning:
* Disaster planning - Physical + environmental security:
* Aim to address risks from social engineering - Starters, leavers and movers process:
* Getting staff set up to use system, adapting access for staff moving to new department or role and stopping access when people leave - Supplier management:
* Risk based – third-party IT service supplier should be prioritised above stationary supplier as they pose greater risk - Asset management:
* Recovering assets from leavers, allowing access only to those who need it and protecting valuable assets - Information governance:
* Ensure people know which info is confidential, what is publicly available and what is internal only - Training and awareness:
* Making all employees aware of importance of programme and their responsibilities in maintaining it
Protection against malware:
- Anti-virus software
- Personnel policies = staffs IT training + disciplinary procedures against staff who use unauthorised software
- Protect external email links by virus checking all messages and preventing files of a certain type being sent via email
What is legacy systems?
Systems that have grown organically over time rather than being specifically designed
What is a patch?
Software update that addresses know vulnerabilities (bug fix)