Chapter 9 - Cyber Security processes Flashcards

1
Q

Cybersecurity risk governance structure:

A
  • Org’s should have formal, codified policy statement outlining cybersecurity aims which should be overseen by board
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Considerations for cybersecurity policy:

A
  • Hiring + developing qualified personnel to manage cybersecurity risks effectively (chief financial officer)
  • Connection between cybersecurity and org’s integrity and values
  • Board to oversee cybersecurity risks – via dedicated committee, CIO or included in terms of audit committee
  • Monitoring + reporting of performance by board to ensure policy is successful
  • Consider org’s tolerance to cyber-risks and connections between cybersecurity and other risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Developing a cybersecurity policy:

A

Involves normal risk management procedures – identification, quantification, prioritisation of risks, costing, selection and implementation of counter measures and drawing up contingency plans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risks management for vendors and business partners:

A
  • Involves identify, assess, respond and view risk from three different perspectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Strategic perspective of managing risks from vendors and business partners:

A

Cybersecurity risk procedures should identify macro-level risks from third parties:

  • National attack – treats that affect org’s across one or more countries
  • Zero-day threats
  • Major disruptions to operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Operational perspective of managing risks from vendors and business partners:

A
  • Identifying the current and future cybersecurity risks to core services provided by third parties
  • This includes risks from suppliers that handle data processing
  • Need to review technical and admin threats to network security and insider threats from malicious staff
  • Due diligence for third parties before appointment and ongoing monitoring through SLA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Financial perspective of managing risks from vendors and business partners:

A
  • Focus on relevant risks and quantified costs from individual threats
  • By quantifying risks, the org will prioritise resources and set targets for suitable risk responses to improve security posture
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CIMA strategies to avoid being hacked:

A
  1. Reconnaissance:
    * Being aware of how you appear to outsiders
    * If you look vulnerable – why is this and what can you do about it?
  2. Simulation:
    * Assume that you will be hacked at some point
    * What should you do to prepare yourself?
  3. Digital identity:
    * Find ways to identify everyone and everything that interacts with you digitally to prepare
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the Internet of things?

A
* Internet of things = network connecting objects in the physical world to the internet
Examples:	
* Smart TV’s
* Fitness trackers
* Utilities meters
* Kitchen appliances
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risks of internet of things:

A
  • Allows org’s to manipulate users by analysing their behaviour and using them for commercial purposes
  • When updating or registering device IoT created cybersecurity threats such as malware and data loss or access to devices remotely
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How should org’s communicate cybersecurity policies?

A
  • Communicated via a formal policy statement that is straightforward to understand and for both internal and external stakeholders
  • Cybersecurity training should also be part of policy commitment to improve and for it to be delivered appropriately
  • Org’s may commission formal mandatory training to ensure that digital resilience are raised across all relevant services involved in info and data management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

BPP’s cybersecurity risk management program:

A
  1. Information security management system:
    * High level risk management framework, policies and procedures
  2. Business continuity planning:
    * Disaster planning
  3. Physical + environmental security:
    * Aim to address risks from social engineering
  4. Starters, leavers and movers process:
    * Getting staff set up to use system, adapting access for staff moving to new department or role and stopping access when people leave
  5. Supplier management:
    * Risk based – third-party IT service supplier should be prioritised above stationary supplier as they pose greater risk
  6. Asset management:
    * Recovering assets from leavers, allowing access only to those who need it and protecting valuable assets
  7. Information governance:
    * Ensure people know which info is confidential, what is publicly available and what is internal only
  8. Training and awareness:
    * Making all employees aware of importance of programme and their responsibilities in maintaining it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Protection against malware:

A
  • Anti-virus software
  • Personnel policies = staffs IT training + disciplinary procedures against staff who use unauthorised software
  • Protect external email links by virus checking all messages and preventing files of a certain type being sent via email
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is legacy systems?

A

Systems that have grown organically over time rather than being specifically designed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a patch?

A

Software update that addresses know vulnerabilities (bug fix)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Patch management:

A
  • Patch management can be used as a preventative control (vulnerability is spotted before any damage) and as a detective control (in response to cybersecurity breach)
  • Patches need to be applied as they are required to reduce risk that vulnerabilities will be exploited
  • Given the cost and expertise required as well as complexity of legacy systems, this is an area that the org cannot afford to ignore
17
Q

What does encryption involve?

A
  • Encryption = scrambling data at one end of a communication channel, transmitting the scrambled data and unscrambling it at receiver’s end
  • Aims to ensure security of data during transmission
  • To read an encrypted file, you require access to security key or password to decrypt it
  • Unencrypted data = plain text, encrypted data = cipher text
  • Only secure way to prevent eavesdropping
18
Q

Encryption techniques:

A
  1. Digital signature:
    * Encryption by means of private keys ensuring sender is who they claim to be and providing evidence
  2. Digital envelope:
    * Sending key used to encrypt the message separately form encrypted message
  3. Authentication:
    * Making sure message has come from an authorised sender
    * Involves adding an extra field to a record which contents are derived from the remainder of the record to which an algorithm is applied
  4. Dial-back security:
    * Requires person to dial into network and identify themselves
    * The system then dial the person back before allowing access
19
Q

Firewalls:

A
  • Firewall = protect part of the communications technology to prevent unwelcome access into computer system
  • Allow public access to some parts of computer systems, while denying access to other parts
  • Access to rest of system is controlled by passwords
  • Skilled hack may be able to bypass these precautions
20
Q

Email policies:

A
  • Sending of confidential info to external sources should be prohibited or sent through encrypted or password protected
  • Employees should not delete sensitive emails and should keep hard copies
  • Legal disputes should not be discussed over email
  • Attachments and emails should be checked for viruses
  • Security software should be used to analyse attachments – electronic limits can also be placed on types of attachments
21
Q

Logical access systems prevents access by measures such as:

A
  • identification of user
  • authentication of user identity
  • checks on user authority
22
Q

Passwords:

A
  • Systems does not allow access, terminal may lock and the attempted unauthorised access should be recorded
  • Keeping track of failed attempts can alert managers to repeated efforts to break into the system
23
Q

Back-up controls:

A
  • Ensure that most recent useable copy of data can be recovered and restored in event of deliberate or accidental loss or corruption
  • Forms part of contingency controls and should also be part of day-to-day procedures
  • Back-ups should be stores in separate secure location
24
Q

Disaster planning:

A
  • Information contingency planning involves response protocols that consider various risk eventualities that org may be asked to cope with and how they should respond to them
  • Protocols are often practiced via simulations to ensure staff are adequately trained and that protocols are fit for purpose
25
Q

Key elements to address disaster risks:

A
  1. Responsibility schedule:
    * Someone needs to be in charge, take control and delegate tasks in such a situation
  2. Priorities:
    * Resources need to be prioritised as to what gets addressed first and what can be left for later
  3. Back-up procedures:
    * Ongoing and as part of normal risk management – should have familiarity with how to access and install back-ups
  4. Business continuity arrangements:
    * Protocols would be required for replacing premises and systems with minimal disruption to normal operational service
  5. Communication protocols:
    * Systems of communication should be available in the event of a disaster – between individuals but also to public
  6. Risk assessment:
    * Should be opportunity to assess how serious disaster is in order to allow most appropriate responses
26
Q

Information systems controls:

A
  1. General controls:
    * Encompass software + hardware – personnel controls, passwords and access controls
  2. Application controls:
    * Input controls – use of batches, data entry protocols
    * Processing controls – reconciliations and control totals
    * Output controls – exception reports, audit trails
  3. Software controls:
    * Control use of unauthorised software – counterfeit software
    * Controls include buying from reputable supplier and inspections to ensure such programmes are not used
  4. Network controls:
    * Protect information systems from network risks – virus protection, data encryptions, firewalls
    * Controls have to be practical – access needs to be granted, but associated risks also needs to be controlled
27
Q

Levels of integrity:

A
  • IS controls needs to ensure that systems maintain suitable levels of integrity
  1. Data integrity:
    * Preserved when systems data is same as found is source documents and has not been accidentally or intentionally altered, destroyed or disclosed
  2. Systems integrity:
    * Operation of systems conforming to intended design specification, despite attempts to make it behave incorrectly
28
Q

Measures to control personnel risk:

A
  • Careful recruitment – taking up of references
  • Job rotation
  • Supervisions and observation by superior
  • Review of computer usage
  • Enforced vacations to ensure no one person has overall control of cybersecurity related matters
  • Termination procedures restricting access to sensitive data when employees leave the org
29
Q

Personnel cybersecurity planning - Division of responsibilities in data processing department:

A
  • Work is divided between systems analysts, programmers and operational staff
  • Operations jobs are divided between data control, data preparation and computer room operations
  • To assign responsibility for certain tasks to specific jobs and individuals and to prevent deliberate error
30
Q

Personnel cybersecurity planning - end-user computing:

A
  • Segregation of duties might not always be possible and therefore the same person who operated the computer also inputs data and may even write their own programmes
  • It is important t ensure that data being processes is not such as to have a bearing on the assets of the business – person operating the computer and inputting data should not write programme or design system
  • Suitable internal audit checks of systems should be done
31
Q

Personnel cybersecurity planning - computer support department:

A
  • User and software support
  • Change and configuration management
  • Back-ups, documentation and maintenance
  • Controls should enhance cybersecurity
32
Q

ISO 27001 – 6 step process for best practice of cybersecurity and cybersecurity responses:

A
  • Agree methodology across org to ensure consistency in responding to data security
  • Carry out assessment of all potential data risks across org
  • Record of the treatment of risks – TARA approach
  • Produce report covering all results for accreditation purposes
  • Produce a statement of applicability to be reviewed by accredited ISO auditor
  • Compile Risk treatment plan – implementation plan for what need to be done, who does it, how and when
33
Q

Other cybersecurity monitoring systems:

A
  • Board may monitor cybersecurity either directly or via relevant committees depending on decisions regarding cybersecurity risk management governance
  • Board should receive communication about cybersecurity events, threats and vulnerabilities both on regular basis and ad hoc
  • Internal audit may be involved in compiling reports which focus on cybersecurity events, threats or vulnerabilities
34
Q

Corrective actions against events, threats and vulnerabilities:

A
  • If monitoring identifies errors – respond either by updating the software or using temporary fix (patch)
  • If monitoring identifies actual or potential security breach – responses should be swift and appropriate and in line with cybersecurity policy
  • Given dynamic nature of cybersecurity threats, clarity of diagnosis and swiftness of action should be core parts of response
35
Q

Outputs from cybersecurity monitoring systems:

A
  • Regulators may need to be informed
  • Identification of staff responsible for deliberate attacks could lead to either specific actions against staff or more general changes to HR policies
  • Weaknesses in systems could lead to changes in way in which system operates
  • Consistent trends in cybersecurity events may lead to budget allocations changing
  • Training needs may be identified as result of consistent threats due to poor user awareness or education
  • Policy changes as result of analysing cybersecurity events
  • Analysis of audit trails could also indicate root cause that needs to be addressed