Paper 2 Unit 8

Question 1

What is confidentiality?

Answer 1

Confidentiality in information security refers to the assurance that data is only accessible to authorized individuals or entities and remains protected from unauthorized access or disclosure.

Question 2

What is integrity?

Answer 2

Integrity in information security ensures that data remains accurate, consistent, and trustworthy throughout its lifecycle, safeguarding against unauthorized alteration, corruption, or tampering.

Question 3

What is availability?

Answer 3

Availability in information security refers to ensuring that data and systems are accessible and usable when needed by authorized users, while protecting them from disruptions or downtime caused by various threats or incidents.

Question 4

What does integrity do?

Answer 4

Ensures that information remains accurate, consistent and trustworthy throughout its lifecycle. Involves protecting data from unauthorised modification, alteration or deletion, intentionally and unintentionally. Maintaining data integrity is crucial for ensuring the reliability and trustworthiness of information.

Question 5

What techniques are used in integrity?

Answer 5

Techniques such as data validation, checksums, digital signatures and access controls are employed to verify the integrity of data and detect any unauthorised changes

Question 6

What does confidentiality do?

Answer 6

Ensures information is accessible only to authorised people. Involves preventing unauthorised access to sensitive data, ensuring it remains private and protected. Ensures that information is only disclosed to authorised users or entities, maintaining the privacy and confidentiality of the data

Question 7

What techniques are used in confidentiality?

Answer 7

Techniques such as encryption, access controls and data masking are commonly used to enforce confidentiality

Question 8

What does availability do?

Answer 8

Ensures that information and computing resources are accessible and usable when needed by authorised users. It involves ensuring timely and reliable access to information and services, minimising downtime and disruptions. Essential for maintaining productivity, continuity of operations and meeting the needs of users and stakeholders

Question 9

What measures are used for availability?

Answer 9

Measures such as redundancy, fault tolerance, disaster recovery planning and robust infrastructure design are implemented to ensure high availability of systems and services

Question 10

Why is maintaining compliance important?

Answer 10

Adhering to the principles of Confidentiality, Integrity, and Availability (CIA) helps organisations comply with legal and regulatory requirements. Many industries have specific regulations governing the protection of sensitive information, such as GDPR, Data Protection Act 2018 or financial information under PCI-DSS. By maintaining CIA principles, organisations demonstrate their commitment to compliance, which helps avoid legal penalties, fines, and reputational damage resulting from non-compliance

Question 11

Why is maintaining trust with internal and external stakeholders important?

Answer 11

Consistently upholding CIA principles fosters trust among internal stakeholders (employees, management) and external stakeholders (customers, partners, regulators). When individuals trust that their sensitive information is kept confidential, accurate, and accessible when needed, they’re more likely to engage with the organisation and share information. Trust is fundamental for building strong relationships, both within the organization and with customers and partners.

Question 12

Why is promoting a positive brand image important?

Answer 12

Maintaining high standards of information security through CIA principles enhances an organisation’s reputation and brand image. Customers prefer to interact with businesses that prioritize the protection of their data, leading to increased customer loyalty and positive word-of-mouth referrals. A strong brand image as a trustworthy and secure entity can differentiate an organisation from its competitors and attract more customers and partners.

Question 13

Why is avoiding security risks and unauthorised access important?

Answer 13

Adhering to CIA principles helps mitigate security risks and prevent unauthorised access to sensitive information. By implementing robust security measures, such as encryption, access controls, and regular security audits, organisations can safeguard against data breaches, cyberattacks, and other security incidents. Preventing unauthorised access not only protects sensitive information but also prevents potential financial losses, reputational damage, and legal liabilities associated with security breaches.

Question 14

What are the financial consequences of not maintaining CIA?

Answer 14

Regulatory Fines: Organisations can face hefty fines from regulatory bodies for breaches of data protection laws. For instance, under the General Data Protection Regulation (GDPR), fines can amount to €20 million or 4% of global annual turnover, whichever is higher. In 2019, British Airways was fined £20 million by the UK Information Commissioner’s Office (ICO) for a data breach affecting over 400,000 customers’ personal data.
Refunds and Compensation to Customers: Companies may be required to provide refunds or compensate customers for financial losses incurred due to security breaches or unauthorised access to their personal information. This could include reimbursement for fraudulent transactions or identity theft resulting from a data breach.
Loss of Earnings: Security incidents can disrupt operations, lead to downtime, and result in loss of revenue. For example, ransomware attacks can paralyse systems, causing significant financial losses due to inability to conduct business. The 2017 WannaCry ransomware attack on the UK’s National Health Service (NHS) resulted in estimated losses of £92 million.

Question 15

What are the legal consequences of not maintaining CIA?

Answer 15

*Lawsuits: Individuals affected by data breaches may pursue legal action against the organisation for damages, such as financial losses, identity theft, or emotional distress. In the case of Google’s Safari workaround, the company faced a class-action lawsuit in the UK and settled for £13 million for bypassing privacy settings on Apple’s Safari browser, leading to unauthorised tracking of users’ browsing habits.
Termination of Contracts: Non-compliance with information security standards can result in termination of contracts with clients or partners. Failure to adequately protect sensitive data may breach contractual obligations, leading to legal disputes and termination of business relationships.

Question 16

What are the reputational consequences of not maintaining CIA?

Answer 16

Loss of Clients: Publicised data breaches or security incidents can erode trust and confidence in an organisation, leading to the loss of clients or customers. For instance, the 2018 Facebook-Cambridge Analytica scandal, where millions of users’ personal data was improperly accessed, resulted in public outrage and a loss of user trust in the platform.
Damage to Brand: Repeated or severe security incidents can tarnish an organisation’s reputation and damage its brand image. Customers may perceive the company as untrustworthy or negligent, impacting future business prospects and market competitiveness.

Question 17

What is malware?

Answer 17

software designed to disrupt, damage, or gain unauthorised access to computer systems, networks, or data. Malware can take various forms and is typically distributed through malicious websites, email attachments, infected USB drives, or software vulnerabilities. Common types of malware include viruses, trojans, worms, ransomware, spyware, adware, and rootkits.

Question 18

What is a threat?

Answer 18

Malware poses a significant threat to organisations by compromising the security and integrity of their IT infrastructure and data. Depending on its type and payload, malware can perform various malicious activities, such as stealing sensitive information (e.g., credentials, financial data), encrypting files for ransom, disrupting operations, launching further attacks, or turning infected devices into botnets for remote control.

Question 19

What is an impact?

Answer 19

The impact of malware on an organisation can be severe, resulting in financial losses, data breaches, service disruptions, damage to reputation, and legal liabilities. Malware infections can lead to downtime, loss of productivity, and recovery costs associated with restoring affected systems and data. Organisations must implement comprehensive security measures, such as antivirus software, firewalls, intrusion detection systems, and user education, to mitigate the risk of malware infections

Question 20

What confidential data do organisations keep that they want to protect?

Answer 20

Details of employees’ salaries and perks
Client lists and customer information
Sales figures
Trade secrets
Knowledge of any reorganisation

Question 21

What impact can not maintaining privacy and confidentiality have in an organisation?

Answer 21

Loss of income due to loss of customer confidence or loss of competitive advantages
Compensation for customers whose data has been exposed
Fines for breaches of the data protection legislation
Costs for improving security and restoring data
Loss of business caused by downtime during data recovery
Damage to the reputation of the business with the consequential loss of business or investment

Question 22

What potential technical threats and vulnerabilities are there to systems, data and information?

Answer 22

Hacking
Botnets
DDoS Attacks
Malware
Social Engineering
Insecure APIs
Use of adhoc or open networks
Eavsdropping/man-in-the-middle attacks

Question 23

What potential physical threats and vulnerabilities are there to systems, data and information?

Answer 23

Location of system or asset
System or asset layout
System or asset design/robustness
Circumstances of use
Characteristics of users/community (malicious employees)
Threats beyond the control of the organisation (e.g natural disasters, power cuts or loss of internet access)

Question 24

What potential human threats and vulnerabilities are there to systems, data and information?

Answer 24

Human error (accidentally downloading malware, accidentally deleting or modifying files, sending data or emails to the wrong recipient)
Malicious employees
Criminals/targeted attacks

Question 25

What processes can be done to mitigate threats and ensure seurity?

Answer 25

Air Gapping- isolating the system
Anti-malware software
Certification of APIs
Configuration and management of software-based access control
Device hardening
Encryption
User access restrictions
Multi-factor authentication
Firewalls
Policy enforcement and training
SYN cookies
Virtual Private Networks (VPNs)
Security testing (pen testing and ethical hacking)