IT Security - Exam Prep Flashcards
Pries-Heje, J., Fleron, B., & Baskerville, R. (2024). The Digital Empowerment Paradox: The Experience in Denmark. Proceedings from HICSS
Digital empowerment paradox:
Cyclical learning process:
Focus on continuous learning:
Digital empowerment paradox: Digitalization can empower intended beneficiaries (citizens, businesses) while simultaneously disempowering unintended victims (unprepared citizens) and accidentally creating vulnerabilities that empower unintended opponents (cyber attackers).
Understanding the paradox is crucial: Policymakers and those involved in digitalization initiatives need to be aware of the empowerment paradox to anticipate and mitigate unintended consequences.
Cyclical learning process:
Large-scale digitalization is a complex, ongoing learning process. As the process unfolds, unintended consequences arise, requiring adjustments to address the newly identified victims and empowered opponents.
Focus on continuous learning: Digitalization is a journey, not a destination. Continuous learning and adaptation are essential to address the evolving challenges and empower all stakeholders.
Rigsrevisionen (2023). Statens it beredskab II, afgivet til Folketinget med Statsrevisorernes bemærkninger
What is it about?
Rigsrevisionen (the Danish National Audit Office) has assessed the IT preparedness of 12 critical IT systems in the Danish government.
Recommendations
- All authorities should develop risk assessments for their critical IT systems.
- All authorities should develop crisis management plans, emergency plans, and reestablishment plans for their critical IT systems.
- All authorities should test their IT preparedness plans on a regular basis.
- The Ministry of Finance should provide clear guidelines and instructions to authorities on IT preparedness.
Rigsrevisionen (2022). 5 statslige myndigheders efterlevelse af 20 tekniske minimums-krav til itsikkerheden
Recommendations and some examples?
Recommendations
Public authorities should take the following steps to ensure compliance with the 20 technical requirements for IT security:
Conduct a comprehensive risk assessment to identify all potential threats and vulnerabilities.
Develop a detailed plan for implementing the required security measures.
Train all employees on IT security awareness and best practices.
Regularly monitor and review IT security systems and processes.
The 20 requirements cover a wide range of IT security measures, including:
Firewalls: Implement firewalls on all clients to prevent unauthorized access to workstations.
VPN: Use a VPN solution to access the internet from work computers on external networks.
Hard disk encryption: Encrypt hard drives to protect data in case of theft or loss of the computer.
Endpoint protection: Implement endpoint protection against viruses, malware, etc. with automatic updates on all clients.
Regular updates of clients: Ensure that clients are regularly updated, including both the operating system and applications.
Limited allocation of local administrator rights: Only grant local administrator rights on a time-limited basis and with well-documented needs.
Up-to-date operating system: Ensure that the operating system is as new as possible and is at least supported with security updates.
Approved email relays with authentication: Only use email relays that are approved by the authority and that use authentication.
Encryption of communication with email protocols: Encrypt communication with email protocols and use at least TLS 1.2.
2-factor authentication or direct VPN connection: Ensure that webmail is only used outside of the authority’s local network if this is done using 2-factor authentication or via a direct VPN connection to the authority’s network.
DMARC REJECT policy on domains: Implement a DMARC REJECT policy on all domains belonging to the authority.
Password of at least 6 digits or biometric identification: Ensure that a numeric password of at least 6 digits or biometric identification is used.
Regular updates of mobile devices: Regularly update the operating system and apps on mobile devices.
Encryption of Wi-Fi on work networks: Encrypt Wi-Fi on the authority’s work network with at least WPA2.
Logging: Ensure logging, including logging on all systems and services on network servers.
DNSSEC: Ensure that DNSSEC is associated with all domain names belonging to the authority.
Protection against malicious websites: Use a secure DNS service or implement another solution to protect against malicious websites.
Encryption of communication to websites: Encrypt communication to websites and use at least TLS 1.2, i.e. https must be implemented on all websites.
No Flash: Do not use Flash on authority websites.
Regular updates of web servers: Use regularly updated server software on web servers.