IA 2 - UNIT 2 Flashcards
different types of assets
- Tangible
- Intangible
Three Controls Assigning Responsibility
- Inventory
- Ownership
- Acceptable Use
Responsibilities of Assets
- provides adequate levels of security
- assigned to identified entities
- risk management and security responsibilities
- provides accountability for asset protection
Organization’s Assets
- Data / Information
- Hardware
- Intangible
- People
- Service
- Software
- Identify and record information about the
assets - Movements and changes are documented and updated
Inventory
- Assets have established owners
- Responsibility of security of assets
- Review of Classification and use authorisation
Ownership
- Develop policies and guidelines
- Similar categories covered under the same policy
- Disclosure and release of information are cited
Acceptable Use
Organising information by sensitivity and loss disclosure, modification and unavailability.
Classification and Handling
Two controls in place
- Classification Guidelines
- Information labeling and handling
- Organised by information needs and impact in case of breach
- Originator is responsible for classifying and protecting information based on policies and procedures
Classification Guidelines
Classification is based on value and impact
determines the level of
- confidentiality
- integrity
- availability
Classification Guidelines Considers
- Security classification
- Information assurance
- Information owners Business,
- Industry, and Legal requirements
- Organisation Culture
Classification Process
- Creation ->
- access control implementation ->
- method of process ->
- information disposal
- Organisations must develop information handling protocols based on the policy on classification
- This preserves information assets
Labeling and Handling
Risk Management Process
- Background Planning
- Asset Analysis
- Threat Analysis
- Vulnerability Analysis
- Risk Identification
- Risk Analysis
- Risk Treatment
Organisations must develop information handling protocols based on the policy on classification This preserves information assets
Labeling and Handling
Background Planning Critical Elements
- Establish the Aim, Scope and Boundary
- Establish the risk evaluation criteria
process of managing the risks involved in Information Technology systems. These include identifying, assessing, and acting on risks to data confidentiality or integrity.
Risk Management
- The measure or the extent of which an entity is threatened by circumstance or event
- The likelihood of a threat event occuring
Risks
Using the CIA Triad
- Confidentiality: What happens if people could see this?
- Integrity: What happens if people could change this?
- Accessibility: What happens if authorized users can’t use this?
- Analyze your assets based on their type (Hardware, Software, People, Services, Platforms)
- Determine their owner, the value and their impact to the organization using the CIA triad
Asset Analysis
conducted while referring to a database of known major threats.
threat analysis
Human threats are divided into three dimensions
- The Motive
- The Opportunity
- The Means
are typically weather-related phenomena.
Natural Threats
- Identify the vulnerabilities for which threat events.
- The goal is to identify flaws or weaknesses that the threat can exploit.
Vulnerability Analysis
- Risks should be identified as early as possible.
- A good practice is to brainstorm with the risk management team. If the team lacks the expertise, outside help should be brought in.
Risk Identification
- A qualitative approach to risk analysis using the “quadrants” method.
- Risk in the “Low” category may be ignored or lowered in priority
Risk Matrix
- Periodical Risk Assessment should be conducted. Risk reviews should occur when there are changes to the I.T. infrastructure.
- Organizations should develop “risk dashboards”. This ensures that the risks are monitored in accordance to their priority.
Monitoring Risks
identify what methods are in place to control the risk, and the strengths/weaknesses of the system.
Risk Analysis
Basing off of the risk assessment:
Avoid risk: If the activity causes risk, don’t do it.
Reduce Likelihood of Occurrence
Reduce the consequences
Transfer Risk: Insurances, partnerships, etc.
Accept Risk: Just let it happen.
Integration w/ Other Management Practices
- Budgeting
- Business Planning
- Internal Audit
- Periodic Reporting
Risk management requires resources that may otherwise be used in other areas of the organization.
Budgeting
Organization may have a busin s plan. Certain exercise such as SWOT & PEST may be u n risk analysis
Business Planning
a tool that Management may use to monitor risks Frequency of the reporting should be based on impact of the risk.
Periodic Reporting
Organizations should use data from the risk manage ent team to aid in internal auditing & control reviews
Internal Audit
Assures that unauthorized people do not have access to any information and every information that is transferred must be encrypted wherein only authorized people have the ability to decrypt it.
Confidentiality
It is the practice of managing risks involving information such as the use, storage, transmission and processing. This includes the systems or devices that are being used in the process.
Information Assurance Policy
It prevents unauthorized access, use, disclosure, disruption, modification, or destruction of the data
Information Assurance Policy
Pillars of Information Assurance Security
- Confidentiality
- Integrity
- Availability
- Authenticity
- Non-repudiation
This assures that the system is capable of protecting the data thus the information shall retain its original state. It ensures that no one can tamper and modify the information without authorization.
Integrity
This ensures that the people who are guaranteed access have easy and timely access to the information. Wherein information is available even during unexpected scenarios.
Availability
Ensures that the information transmitted through parties are accurate and specific. The system must be capable of preventing impersonation and must confirm the identities before giving access to the information.
Authenticity
Ensures that both parties receive confirmation or proof that their messages are delivered to the correct individuals which means by confirming these identities both parties shall allow each other to send or receive data respectively.
Non-repudiation
There are four essential areas of focus applicable to the
recruitment process.
- Inclusion of information assurance aspects in the job scope and description.
- Defined level of confidentiality or sensitivity required
- Filling the vacant positions with suitable candidates
- Use of legal documents to enforce information assurance
eliminates “gray” areas about employee responsibilities and how to respond in different situations.
job scope and description
should give a clear explanation about employees’ roles, responsibilities, and authorities in the organization. It is crucial to state the access level during the employee’s tenure.
scope and description
NICE
United States National Initiative for Cybersecurity Education
The NICE framework features:
- Operate and Maintain
- Protect and Defend
- Investigate
- Collect and Operate
- Analyze
- Securely Provision
- Oversight and Development
Individuals should be placed in specific positions within an organization based on their qualifications.
the position’s confidentiality level, suitable screening, and selection methods. Insert the the best candidate for the job.
Filling the Position
There are two general principles that apply when
granting access
- job division
- employee rights restriction
- brings more privacy issues on the table
- organization’s information assurance requirements should follow the organizations information onto any media or platform
BYOD
Two documents used frequently as legally binding in organizations
- employment contract
- nondisclosure agreements (NDAs)
- an agreement between the organization and the employee defining all the terms and conditions of employment.
- Hence, from the point of view of information assurance, the employee’s information assurance roles and responsibilities should be defined pertaining, but not limited to, copyright, data protection rights, information ownership, information management, and information classification.
employment contract
- Organizations must ensure they clearly delineate the expectations of the employee in terms of privacy when it comes to employee- owned devices or employees using organizational equipment for personal use.
- Organizations may offer a de minimus policy for employees that states an employee may use organizational information systems and resources for personal use during a break or lunch period as long as there is no material cost to the organization.
- de minimus is Latin for “minimal things,” and in risk assessment it refers to a level of risk too low to be concerned with.
- If the organization is intercepting the connection and decrypting the information,
- it may be wading into the waters of a privacy violation.
- Organizations must work carefully with their legal departments to determine appropriate policies for work- life balance that ensure proper scoped monitoring can be performed when needed.
Monitoring and Privacy Expectations
- defines the identity of the organization and the employee, the level of confidentiality of the information covered, and to whom information may not be divulged.
- Hence, an employee should sign an before they have access to the organization’s information systems or facilities.
- Furthermore, ________ should be reviewed whenever terms and conditions of employment change.
NDA
- a form of control that minimizes fraud. It may also keep an individual from staying in a job position for long periods; it helps manage their level of motivation.
- keeping an employee in one job position for extended periods may lead the employee to having too much control over certain business functions.
- Such employee control may lead to fraud, can lead to misuse of resources, or may even jeopardize data integrity.
Rotation of Duties
- An organization may perform periodic monitoring of employees’ activities to detect potential fraud.
- Clearly, this must be consistent with local laws; however, it is important for employees to know that such monitoring may take place.
- The organization should be cautioned against routine and undisclosed monitoring because this may trigger employees’ uneasiness: feelings that they are not being trusted and are being spied upon.
Periodic Monitoring
- Organizations must ensure they clearly delineate the expectations of the employee in terms of privacy when it comes to employee- owned devices or employees using organizational equipment for personal use
Monitoring and Privacy Expectations
- The recruitment process does not stop once an employee is hired.
- The new employee will be trained to perform job-specific tasks including information assurance duties and responsibilities.
Employee Training and Awareness
- Organizations should establish policy and procedures for secure offboarding by defining actions to be taken to handle absence and departure.
- The actions should include temporary or permanent closing of accounts, steps for forwarding e-mails, change of critical passwords and phone numbers, and disabling access to all systems.
Termination or Change of Employment
- Establish and explain a formal disciplinary process for all employees specific to security breaches.
- The disciplinary process should ensure that employees suspected of committing any security breach are treated correctly and fairly.
Disciplinary Process
- Refers to the formal process of assessing and certifying that an organization’s information systems and processes meet certain security standards and compliance requirements.
- The Information Assurance Planning Process involves a series of steps and activities aimed at ensuring the confidentiality, integrity, and availability of an organization’s information assets.
Accreditation
This process includes identifying the information systems and assets to be accredited, understanding the relevant security requirements, and establishing an accreditation team.
Preparation and Planning:
- outlines the system’s security requirements, policies, procedures, and controls.
- It serves as a foundational document for the accreditation process.
System Security Plan (SSP) Development
- Organizations perform a comprehensive risk assessment to identify potential threats, vulnerabilities, and risks associated with the information systems.
- This assessment helps in determining the appropriate security controls and countermeasures
Risk Assessment
Based on the SSP and risk assessment, the organization implements the necessary security controls to mitigate identified risks and meet security requirements. This may involve the deployment of technical safeguards, security policies, and employee training.
Security Controls Implementation
The organization conducts security testing and evaluation to assess the effectiveness of the implemented security controls. This may include vulnerability scanning, penetration testing, and other security assessments.
Security Testing and Evaluation
Detailed documentation of all security-related activities, including security control implementation, testing results, and incident response procedures, is essential for the accreditation process.
Documentation
The accreditation team compiles all relevant documentation and evidence into an accreditation package. This package is submitted to the accrediting authority for review.
Accreditation Package Preparation
- employees that states an employee may use organizational information systems and resources for personal** use during a break or lunch period as long as there is no material cost to the organization**
- and in risk assessment it refers to a level of risk too low to be concerned with
de minimus policy
- often a designated security or compliance officer within the organization or a regulatory body, reviews the accreditation package.
- They assess whether the security controls are effectively mitigating risks and whether the organization is in compliance with applicable standards and regulations.
Accrediting Authority Review
This decision can be to accredit the system (grant authorization to operate), deny accreditation, or require further remediation and reevaluation
Accreditation Decision
- Organization must maintain continuous monitoring and oversight of the accredited systems.
- This includes ongoing security assessments, incident response, and periodic reviews to ensure compliance with security requirements.
Continuous Monitoring
- Accreditation is not a one-time process.
- Periodically, the organization must undergo reaccreditation to ensure that the security controls remain effective and that the system remains compliant with evolving security standards and regulations.
Reaccreditation
Two Approaches to Implementing Information Assurance
- The Bottom-up Approach
- The Top-down Approach
places the responsibility of successful information security on a single staff member or security department
The Bottom-up Approach
starts with upper management and top-level managers are the ones responsible for initiating, creating, and implementing your data protection strategy
The Top-down Approach
The Bottom-up Approach Advantages
- uses a person or team’s experience and expertise to handle intricate security concerns
- you may be able to assign the task to an existing employee with the appropriate background instead of hiring someone new
The Top Down Approach Advantages
- has more efficacy because it makes data protection a company-wide priority instead of placing all the responsibility on one person or team
- incorporates more available resources and a clearer overview of the company’s assets and concerns
The Bottom-up Approach Disadvantages
- it doesn’t involve assistance or input from top-level management
- infosec program won’t have the same thoroughness that it would have if you were incorporating information and directives from the top
Structure of an Information Assurance Organization
- Centralized Structure
- Distributed Structure
- Hybrid Structure
where an information assurance management program is managed under a centralized unit with ultimate accountability and responsibility for the program
Centralized Structure
where roles, responsibilities, and authorities are spread throughout the organization’s business units, operations areas, and geographical locations
Distributed structure
- that is a mix of the centralized and distributed structures
- features centralized management of information assurance with decentralized execution of security activities.
Hybrid structure
