Week 4

Question 1

What is cyber security policy?

Answer 1

The codification of cyber security objectives to support desired behaviour to achieve said objectives. They present security goals. Not implementations or a detailed set of instructions/procedures.

• It’s a very powerful tool
• instructions from management that indicate the expected governance of that organisation.
• Comprises of not only general directives but also goals, objectives, beliefs and responsibilities.
• Represents areas of focus for management.

Question 2

What is China’s internet policy versus the EU’s internet policy?

Answer 2

“The internet is to serve the objectives of the state” - China.
“The internet should be open and accessible to all” - EU.

The EU’s policy implies we need to continue expanding the internet so that it reaches everyone. Good for collecting more info.

Question 3

What policy will support superior national security (EU or China)? Recall two points of view from NYT and British Tories.

Answer 3

Two points of view:
1) NY Times video:
China’s internet is more like an intranet.
They’ve gotten so advanced that Western Apps are copying them. Specifically WeChat - large variety on one app. The gov are able to monitor literally everything. Combines FB, Amazon, Tinder, Venmo, Robinhood etc etc.
Problem: Gov and companies can track every single movement you make.

2) British Tories video.

Question 4

What is involved in the creation of policies ?

Answer 4

• we have lots of concerns and ideas to begin with.
• we look at these and turn these into properly assessed risks. Determine the consequences of these happening and the likelihood.
• Take some of these risks and introduce a treatment (policy).

Question 5

What is the “hierarchy of Governance” pyramid?

Answer 5

1) Top level of pyramid: Policies - High level objectives of the organisation and directives to mitigate and minimise risks. The “What”.
2) Middle level of pyramid: Standard - meet the objectives and directives of the policy. How to achieve these directives. The “How”.
3) Bottom of pyramid: Procedures - explicit instructions on how to achieve these.

Question 6

What are the motivations for policy?

Answer 6

• consistency: reduces inconsistent behaviour. Be careful though because reducing autonomy of employees can upset them.
• controls and products - the security product has to be deployed in adherence with the context, i.e. via the policy so that the whole organisation adopts this approach.
• distribution of knowledge - e.g. communicate don’t share passwords with others. Effective communication.
• expectations - creating that foundation for disciplinary actions.
• compliance and audit
• avoiding liability - shows the org have at least thought about security. Minimise threats of litigation.
• tone - sets the tone for security within the org that employees will display in their day to day.
• management endorsement

Question 7

What language should you use in the policy?

Answer 7

• Should be a general solution for addressing a problem, not the implementation
• Short and simple directions
• Clear language such as “must”, “do”, “will”
• Limited sentences and/or bullet points
• Clear and not vague.
• Realistic in the expectation of what they want in terms of desired behaviours.
• Must operate within the legal and reg environment
• Should not prohibit that they can not enforce
• Must not be designed in such a way that makes them difficult or unrealistic to follow
• Inclusive versus exclusive policies: inclusive states what is permitted, exclusive states what is prohibited.

Question 8

What might you see in a policy document?

Answer 8

• Directives/objectives of the policy.
• Revision control: states the version number of the policy, what’s the effective date of the policy. Allows employees to see what they need to update. Useful for employees to contrast the latest version with the last version.
• Revision detail: useful to include a brief summary of what’s actually changed.
• Owner: who owns and improves a particular policy. Indicates who should receive feedback on the policy.
• Roles and responsibilities: who is responsible for implementing/monitoring aspects of the policy. Important in the real world.
• Executive sign off - signifies that this policy has been endorsed by the upper levels.
• Purpose: what the policy doc aims to cover.
• Scope: who the policy doc applies to. There could be that a policy only applies to a certain section of the enterprise.
• Related documents: e.g. reg compliance info

Question 9

What are the policy topics covered by policy?

Answer 9

Companies might just have a single policy when it comes to cyber security. They might also have multiple policies.
No wrong answer. At a minimum, the org wants to show it’s being properly governed. Some examples:
Email policy, Data Breach Response Policy, Internet Usage Policy, Workstation Security Policy (for HIPAA) - informed by specific domain guidance for the healthcare sector.

Question 10

what is a “Baseline Policy”?

Answer 10

Other policies build upon this and use it as a foundation. Allows flexibility for other policies.

Question 11

Why would an organisation have a data breach response policy?

Answer 11

Communicates to the outside world that you’re aware of data breaches. An example of this is GDPR.

Question 12

What is policy verification and validation?

Answer 12

Metrics can be used to determine whether or not security objectives are being met.

Question 13

what are the problems with policies?

Answer 13

• Having many policies could lead to confusion and lack of clarity.
• Policies may curb autonomy. Could result in disgruntled employees
• Policies may curb and impact on business objectives- they may curb employees from doing their job.
• Focus on policies is often on risk rather than how people make decisions and what motivates them.

Question 14

What is the “Shampoo algorithm”?

Answer 14

Lather, rise, repeat.
Get clean in a security context. We want to break out of this, where we are continually performing the same actions but not sure if we’re ever getting clean.

Question 15

How do we quantify risk?

Answer 15

We have to understand the value of the underlying asset that’s at risk.
Reaching a consensus on a single question can be very challenging.

Question 16

How do we determine house prices?

Answer 16

• we get a group of experts to value the house using lots of data points.

Question 17

What are Key Performance Indicators?

Answer 17

Key information from management to compare and contrast their organisation with others.
e.g. inventory turnover. The number of cycles that happen for a company to clear its inventory. The lower the turnover is, the more money that’s being spent on inventory that’s just sitting there. Higher inventory turnover suggests the ability to be responsible to changing and a fluid market.
KPIs allows management to see how their company is doing.

Question 18

What are common powerful metrics?

Answer 18

• utilise measurements of time and money
• generated or calculated mechanically or automatically
• understood and communicable across the enterprise
• understood across industry

Question 19

What’s the difference between metrics and measures?

Answer 19

Measures: concrete, clear objective.
Metrics: can be a bit subjective. They can be a single measurement, but they can often represent a number of measurements combined.

Question 20

How are benchmarks defined?

Answer 20

Through measures and metrics.

Question 21

What are some of the motivation for metrics?

Answer 21

• remove fear, uncertainty and doubt (FUD)
• Accountability in terms of demonstrating reg compliance
• Provable security in terms of better understanding of the money spent on security improvements
• Technical perspective metrics
• Metrics can be considered in terms of process improvement and value

Question 22

What are the 4 drivers for security measures?

Answer 22

• information asset fragility
• Provable security
• cost pressures
• accountability

Question 23

What are the characteristics of good metrics?

Answer 23

1) Consistently measured: more credible than those that are not.
2) Cheap to gather
3) Expressed as a number: cardinal in nature rather than ordinal. A traffic light rating is not a good metric.
4) Expressed using at least one unit of measure.
5) Contextually specific.
6) consider the audience: mgmt want high level metrics, technical teams want fine details.

Question 24

What are the characteristics of bad metrics?

Answer 24

1) inconsistently measured
2) cannot be gathered cheaply: will inevitably not be collected often.
3) not expressed in units of measure.

Question 25

what are not metrics?

Answer 25

Pulling metrics from libraries are not usually useful.

Question 26

What are problems with metrics?

Answer 26

Accuracy:

• Imprecision
• Lack of clarity around measurement methods and procedures to collect measurements and generate metrics.
• many metrics within an org can be used without sufficient context, making it difficult to appreciate the value of the metric and/or measurement.
• Fluid use of language in cyber security - language is evolving a lot and what we state now might change over time.

Selection:

• Organisations waste time and money
• It can generate misleading results
• Individuals that collect measurements, that percieve them as useless, may become disgruntled.
• Orgs might just favour metrics that paint a positive picture.
• Metrics that seemed useful in earlier cycles may be pointless now.
• It is important that individuals understand how to properly combine measurements for metrics.

Question 27

What is the cyber security management cycle?

Answer 27

Strategy –> policy –> awareness –> control –> metrics –> report –>Strategy