Overig uit slides Flashcards
What is an Audit?
“Auditing is the systematic process of objectively obtaining and evaluating evidence regarding assertions about economic activities and events to ascertain the degree of correspondence between the assertions and established criteria, and communicate the results to interested users”
“audit is testing to a norm”
Rule-based vs principle-based
Rule-based: “the speed limit is 120 km/h”
Principle-based: “drive responsibly when it is snowing”
3 types of control measures
- Preventative measures: make risk (nearly) impossible to occur
- Detective measures: make sure no risks go unnoticed
- Corrective measures: when detected, react appropriately (respond and recover)
There are three kinds of IT audits:
- Design: system is adequate for its purpose
- Implementation: design is effectively implemented and operational; procedures are known and used.
- Operating effectiveness: system is effectively operational, for full duration of period
PDCA in risk management
- Company sets objectives (plan)
- Company executes business processes (do)
- Process outcomes are recorded (KPIs) and compared to norms reflecting the objectives (check)
- In case of deviation, introduce control measures (act)
What are the 4 problems of key management
- key distribution: make sure only authorized people have key
- secrecy: how to keep keys secret
- useability: how to make sure people do not forget (e.g. key phrases)
- storage: on a special device (smart card), stored encrypted. …?
4 reasons to protect data
- Privacy: Right to be let alone
- protect citizens: limit the power of states or companies
- autonomy: right to shape one’s own life
- control: right to correct mistakes
What are the 6 enterprise information security key questions?
(guest lecture)
- How secure do we want to be?
- Which risks do we want to mitigate?
- Which risks to accept?
- how secure are we anyway?
- Are we as secure as we want to be?
- How much money to spend on information security?
Name and explain the 7 main steps of the guest lecture
1. Criticality of business activities: Create an overview of the activities and business assets that need protection, and determine the level of criticality of those assets
2. Operational conditions: Describe the policy and conditions that need to be filled in for the business activities to continue without interruption
3. Risk analysis and risk appetite: Create an overview of the initial business risks and determine the risk appetite of the organization.
4. Enterprise security requirements: Define the business security requirements, the level of protection required for the business assets, based upon the risk appetite of the organization
5. Security architecture: Define security architecture, describing the controls and measures requirement to comply to the enterprise security requirements.
6. Gap and risk analysis: Determine this discrepancies between the requires situation as described in the security architecture and the actual situation. Determine the risks caused by these discrepancies.
7. Management of remaining risks: Decide how to handle the remaining risks. Three main choices: accept, repair, insurance.
4 types of hacker actors
Nation state
Hacktivists
Organized Crime
Insiders
3 parts of cyber kill chain
Preparation
intrusion
controlled breach
