My_notes_part1.pdf

BCS Foundation Certificate in
Information Security Management
Principles

About The Knowledge Academy
• World Class Training Solutions
• Subject Matter Experts
• Highest Quality Training Material
• Accelerated Learning Techniques
• Project, Programme, and Change
Management, ITIL® Consultancy
• Bespoke Tailor Made Training Solutions
• PRINCE2®, MSP®, ITIL®, Soft Skills, and More

• Trainer
• Fire Procedures
• Facilities
• Days/Times
• Breaks
• Special Needs
• Delegate ID check
• Phones and Mobile devices
Administration

• Domain 1: Information Security
Management Principles
• Domain 2: Information Risk
• Domain 3: Information Security
Framework
• Domain 4: Security Lifecycle
• Domain 5: Procedural/People
Security Controls
Outlines

• Domain 6: Technical Security
Controls
• Domain 7: Physical and
Environmental Security Controls
• Domain 8: Disaster Recovery and
Business Continuity Management
• Domain 9: Other Technical Aspects
Outlines

Syllabus Weightings
10%
10%
15%
10%
15%
25%
5%
5%
5%
Domain 1: Information Security
Domain 2: Information Risk
Framework
Domain 4: Security Lifecycle
Doamin 5: Procedural/People
Security Control
Domain 6: Technical Security
Controls
Domain 7: Physical and
Environmental Security Controls
Domain 8: Disaster Recovery and
Business Continuity Management
Domain 9: Other Techincal Aspects

• Domain 1: Information Security Management Principles
• Domain 2: Information Risk
• Domain 3: Information Security Framework
Day 1

• Module 1: Information Security Management Principles
• Module 2: The Need for, and Benefits of, Information Security
Outlines of Domain 1

Module 1: Information Security

Confidentiality
Integrity
Availability
Information Security – Core Principles
CIA Triad:

Information Security
Confidentiality
• Confidentiality is defined as the information of that property which is not available or
disclosed to unauthorised entities, individuals or processes
• Information will usually be provided to only to a limited number of individuals because
of its nature, its content or because its broader distribution, involving financial or legal
penalties or embarrassment to one party or another
• It is a good practice to restrict access to information, and it is based on the principle of
confidentiality. Controls for ensuring confidentiality are an integral part of the broader
aspects of information assurance management

Integrity
• Integrity is defined as the property of accuracy
and completeness
• Information is only useful if it is complete as
well as accurate, and remains so
• Maintaining this aspect of information (its
integrity) is usually important and assuring that
only specific people have the appropriate
authorisation for altering, updating or deleting
the information is another fundamental
principle of Information architecture

Availability
• Availability is defined as the property of being
usable and accessible upon demand by an
authorised entity
• Availability is the one domain where
developments in technology have increased
the difficulties for the information assurance
professionals

D – DISCLOSURE (if disclosed it is no longer Confidential)
A – ALTERATION (if the alteration hasn’t been properly authorised, the
Integrity is challenged)
D – DENIAL (if access is denied the Availability is not possible)
• The opposite of the CIA Triad is D.A.D.

(Continued)
• Therefore, there will always have to be a compromise among the availability of the
information and security in its purest sense
• Throughout all aspects of IA, this compromise has to be acknowledged and has direct
bearing on many of the principles covered in it

Non-Repudiation
• Non-repudiation is the assurance that no
one can dispute anything
• Typically, non-repudiation has an ability
for ensuring that a party to a contract or
communication can not deny the
authentication of their signature on a
document or the sending of a message
that they originated

Cyber Security
• The practice of protecting computers, servers, mobile devices, electronic systems,
networks, and data from malicious attacks is called cyber security, and it is also called as
electronic information security or information technology security
• In a variety of contexts this term applies, from enterprise to mobile computing, and can
be divided into a few different categories. These are:
Network Security Application Security Information Security Operational Security
Disaster Recovery and
Business Continuity
End-user Education

Asset and Asset Types (Information, Physical,
Software)
• Asset: Asset is anything which has value to the organisation
• Assets have an array of types as the mechanisms for using them. In information
assurance, three main types of assets are considered
• The three main types are:
1. Pure Information
2. Physical assets like buildings and computer systems
3. Software used to process or otherwise handle information

Asset Value and Asset Valuation
Asset Value
• The net asset value also called net tangible assets, and it is the book value of tangible
assets as well as liabilities on the balance sheet– or the money which would be left over
if the company was liquidated
• This is the lowest a company is worth and can give a beneficial platform for a company's
asset value because it eliminates intangible assets
• If stock's market value were below book value it would be considered undervalued,
which means the stock is trading at a deep discount to book value per share

Asset Value and Asset Valuation
Asset Valuation
• It is the process of planning the fair market or present value of assets by using book
values, option pricing models and absolute valuation models like discounted cash flow
analysis
• Investment in marketable securities such as stocks, bonds and options; tangible assets
such as buildings and equipment; or intangible assets such as brands, patents and
trademarks are included in such assets
• Asset valuation plays a crucial role in finance and frequently consists of both subjective
and objective measurements

Threat, Vulnerability, Impact and Risk
Threat
• A threat is defined as a possible cause of an undesired incident, which may result in
harm to a system or organisation
• For instance, if we look into the sky and see dark and large clouds, we think about the
threat of rain
• Basically, to some this threat is not undesirable at all, especially by farmers and so they
would not consider the same view of the clouds and their potential for rain – and this is
a crucial point to recognise
• Threats may vary from one organisation to another. Therefore, it is all dependent on the
viewpoint, the situation and the circumstances in which they are being considered

Vulnerability
• Vulnerability is defined as a weakness of an
asset or control which can be exploited by one
or more threats
• For example, if someone wants to travel out
into the cloudy environment without an
umbrella, this can be considered a
vulnerability
• If something (the threat) occurs (it rains), then
the outcomes could be detrimental

Risk
• Risk is defined as the impact of
uncertainty on objectives. If there is a
threat (of rain) and vulnerability, then
there is a risk that the person worried
about might get wet and ruin their
expensive clothes
• There may be other risks associated with
this same set of circumstances – ruined
hair style, late attendance for an
appointment, and so on

Impact
• The impact is defined as the result of an information
security incident, caused by a threat, which affects the
assets. The effect of the risk actually occurring is perhaps
the most significant concept of all to understand. It is the
possible effect which has to be considered and managed in
IA
• If the impact is insignificant and small – then it may be
entirely suitable to accept the risk and to take no further
action other than to monitor it. On the other hand, if the
possible effect could be dismissal from a well-paid job, then
more suitable countermeasures need to be considered

Organisational Risk Appetite and Risk
Tolerance
Risk Appetite
• Risk appetite is defined as a target level of loss
exposure that the company views as
acceptable, given business resources and
objectives
• In other words, risk appetite is the risk's level
that a company is willing to accept while
pursuing its objectives, and before any action
is defined to be essential in order to decrease
the risk

Organisational Risk Appetite and Risk
Tolerance
Risk Tolerance
• Risk Tolerance is defined as the degree of variance
from the organisation's risk appetite that the
organisation is willing to tolerate. In other words,
risk tolerance is defined as an organisation's or
stakeholder's willingness to bear the risk after the
treatment to attain its objectives
• Risk tolerance reflects the acceptable variation in
results related to particular performance measures
associated with objectives the entity seeks to attain

Information Security Policy Concepts
• Any company must have a policy for its management of IA (Information Assurance). It is
generally a brief, punchy statement from the chief executive indicating that they
acknowledge the threats to the business resulting from an inadequate assurance of
information and will take appropriate steps to deal with them
• It should involve statements that make it clear that the organisation regards risk as a
serious issue, with it being discussed at all suitable meetings, that it has the right
authority and responsibility taking an active interest in it
• In order to ensure suitable levels of assurance within the organisation, it is common for
organisations to form an information assurance or security working group to lead the
activities required

The Types, Uses and Purposes of Controls
• In the IA sense, controls are those activities that are taken
to manage the risks recognised. There are four main kinds
of strategic control, although the actual implementation of
all these types can be different
• Eliminate. Risk avoidance: Informed decision not to be
included in, or to withdraw from, an activity in order not to
be disclosed to a particular risk It means taking a course of
actions which removes the threat of a specific risk
occurring at all
• It could entail removing a specific item that is unsafe,
choosing to do things in a distinctive way or any number of
other options. This action is sometimes referred to as
‘avoid’, prevent, or terminate

(Continued)
• Reduce. Risk reduction: Action is taken to
decrease the negative consequences, possibility, or
both, associated with risk
• The meaning of this is to take one or more actions
which will lessen the likelihood or the impact of
the risk occurring. It is rare for action to both
decrease the effect of risk and possibility
• It is often required to use many of these measures
in partnership to have the desired overall effect

(Continued)
• Transfer. Risk transfer: A form of risk
treatment including the agreed division of
risk with other parties
• This means to take steps to move the
accountability for a risk to another
company who will take on the
accountability for the future management
of the risk

(Continued)
• Accept. Risk acceptance: Decision to accept the risk It
means senior management accepting that it is not
considered sensible or practical to take any further
action rather than to monitor the risk
• There could be several reasons why other actions are
deemed inappropriate, including but not limited to:
the possible impact of a risk is too small; the possibility
of a risk occurring is very small; the price of
appropriate measures is extremely high as compared
to the financial impact of the risk occurring; the risk is
outside the direct control of the company

Defence in Depth and Breadth
Defence-in-depth
• Defence in depth typically refers to the traditional methodology of IT security in which
different layers of security are implemented for protecting the IT infrastructure. It is
similar to the layers of an onion with each onion layer representing a security layer
• Defence in depth was adopted from military defence strategy, used particularly in
medieval times for protecting the monarchs in their castle
• The enemy has to fight through all the various outer layers to get to the king in the
innermost centre of the castle, a difficult job to accomplish
• Similarly, each layer of the OSI reference uses a security strategy for defense-in-depth
security to protect the data residing in the innermost core of the IT infrastructure

Defence in Depth example
Physical
Access
Controls
Logical/Techni
cal Controls
Administrativ
e Access
Controls
Defense in Depth with Layered Security

Defence in Depth and Breadth
Defence-in-breadth
• Defence in depth has done a good job in the past, but as IT evolves, particularly with the
advent of IoT and cloud, there is a requirement to take a diverse look at how traditional
security controls are implemented
• Based on the existence of modern IT infrastructures, it is not the case of throwing the
baby with the bathwater, but rather a case of preserving what works and augmenting it
• At each layer of the OSI reference, defence in breadth is about the implementation of
multiple security controls. It is also about the automation of security processes and
controls

Identity, Authentication and Authorisation
Identity
• Information that explicitly differentiates one entity
from another one in a given domain. Often there is
a need to establish who is evaluating information,
and the identity of individuals may be necessary
• This may enable, for instance, audit trails to be
produced to see who changed a particular item of
data and therefore to assign a suitable level of
confidence to the change. This concept is equally
applicable to the assets such as definite pieces of
information which require to be recognised
uniquely

• Identity can be claimed using:
1. User name
2. User ID
3. Account number
4. Personal Identification Number (PIN)
5. Digital identification

Authentication
• The assurance's provision of the claimed identity
of an entity. This process makes sure that the
individual is who they say they are and confirms
their identity to a suitable level of confidence,
appropriate for the task in hand
• This could be merely asking them for their date of
birth, at the most basic level, through to
completing a complicated identity check using, for
instance, biometrics, tokens, and detailed
biographical-data checks

Authentication
• The following are the three basic methods of authentication:
Type 1 A Type 1 authentication factor is something that a user will know. It comprises a
password, personal identification number (PIN), or passphrase
Type 2 A Type 2 authentication factor is something that a user has. It comprises a
smartcard, Universal Serial Bus (USB) drive, hardware token, and memory card
Type 3 A Type 3 authentication factor is something that the user is, and the user does.
Something that user ‘is’ comprises fingerprints, retina patterns, etc. and
something that user ‘do’ comprises signature and keystroke dynamics
Something you know
Something you have
Something you are

Authorisation
• The right or permission which is granted to a system entity to access a system resource
(ISO/TR 22100-4)
• For anyone to use a system of information retrieval, management and so on, it is good
practice to have the authorisation method which makes clear the assets to which
someone must have access and the kind of access they should have
• This authorisation will differ depending on the individual, the business requirement, the
type of asset and a range of other aspects. Who has the authority to approve such
authorisations will vary according to the type of usage needed

Accountability, Audit and Compliance
Accountability
• The property which assures that the actions of
an entity can be traced to the entity uniquely
• When any action is taken out on an information
system or as part of the information assurance
management system, an individual requires to
be accountable for that action
• The person who has responsibility may delegate
the actual work to someone else, but they still
retain the responsibility

Audit
• The review of a party’s ability to meet, or proceed to complete, the initial and continuing
approval agreements as a service provider. It is the checking (formal or informal) of the
records of the system to assure the activities that were expected to have taken place
have occurred actually
• The objectives of an audit could involve recognising gaps in the functionality of the
system, noting trends overtime to assist with problem resolution or identification, or
some other requirements. It can also assist in recognising the misuse of information or
the improper use of authorisation, for example, and thus identify the unauthorised
activity

Compliance
• Meeting or exceeding all relevant needs of a standard or other published set of
requirements
• Assuring that a system or process complies with the expected or defined operating
procedure is compliance
• This could comprise a major operation, like a whole organisation being compliant with
an identified national standard for information assurance, or could be much more
restricted with just particular aspects of the operation, or even individual users of a
particular system are compliant
• In general, compliance should be individually audited to achieve certification against a
standard; for example, a legal or regulatory framework

Information Security Professionalism and
Ethics
• General awareness of the work performed by information assurance professionals is
gradually improving as organisations become highly complex with more and more
information being processed and managed
• The adage that the staff are the organisation's most critical asset could now be seen to
be outmoded since it is frequently the case that it is the information an organisation
holds and uses efficiently that has become its most important asset
• Hence, looking after it has also grown in importance, and the whole profession has
evolved to meet the requirement

The Information Security Management
System (ISMS)
• Information Security Management System (ISMS). It is a part of the overall management
system, based on a business risk approach, used to establish, operate, implement,
review, monitor, maintain and improve information security
• The primary principle behind the ISMS is that there should be a 'one-stop-shop' for all
information pertinent to the assurance of information inside a company
• As soon as there is a need to go looking for documentation, practices, policies or
anything else to do with assurance, the possibilities are that someone will not bother
and will do their own thing
• The result of this strategy will surely be a decrease in the overall level of assurance

Information Assurance and Information
Governance
Information Governance
• Information Security Governance is a system
by which a specific organisation's information
security activities are directed and controlled
• Like IT Governance, GSI represents an
organisational governance's unfolding, and
although in general, there are many potential
models, GSI and GTI have a certain overlap,
relying on their respective objectives and
scope

Governance
(Continued)
• It is imperative that the company is aware of and put into practice principles which
provide a solid foundation for the application of information security governance
processes to attain these goals. There are six principles of information security
governance:
Establish information security throughout the organisation
Take a risk-based approach
Establish the direction of investment decisions

Governance
(Continued)
Ensure compliance with internal and external requirements
Promote a positive security environment
Performance analysis

Module 2: The Need for, and Benefits of

The Importance of Information Security as
Part of a Business Model
• Integrity and availability of information,
preservation of confidentiality; besides this, other
properties such as accountability, non-
repudiation, authenticity and reliability can also
be involved. Neither assurance nor information
operates in a vacuum
• Both require to take account in the environment
in which they are operating and address the
issues that this environment brings with it

The Importance of Information Security as
Part of a Business Model
Information Assurance (IA)
• The confidence in which the information systems will protect the information while they
carry and will function as they require to, under the legitimate user's control
• Technical, administrative and physical controls are required to accomplish these tasks
• While focused mainly on the information in digital form, the full range of IA
encompasses not only digital but also physical or analogue form

Different Business Models and their Impact
on Security
• The basic reason for this is the increased use of technology
that has allowed the business to be transacted remotely
instead of a person. One of the results of this is that number
of people can make their business transactions themselves
instead of expecting from others to act as intermediaries
• No longer do we require to use travel agents to book our
flights, local garages to take our cars for financial advisors or
us to attain investment packages for us. All these and many
more transactions can be taken out directly with the supplier,
often using the internet for communications, or with a trader
in a different part of the country or the world who can offer a
better deal

Effects of Rapidly Changing Information and
Business Environment
• The dominant factor in the society today is change, continuing change, inevitable
change, it is now well known that for a business to survive in the existing environment of
change, it must adapt and be capable of adapting rapidly
• It indicates that what was acceptable as a business practice last week may no longer be
acceptable this week; hence, any assurance system put in place must reflect this
changing environment and be flexible enough to cope with it
• However, this does not indicate that assurance can be relaxed or decreased in any way
• Indeed, if anything, the flexibility should provide a higher level of security and assurance
that risks are being handled efficiently

Balancing Cost and Impact of Security With
the Reduction in Risk
• Life can never be free from risk. It is usually
considered that life is all about risk and its efficient
management. The measures taken in an
organisation for reducing risk to an acceptable level
can at times become very expensive
• It is necessary to struck a careful balance among the
cost or business effect of a risk if it happens and the
cost of the steps taken to minimise its possibility or
impact. Insurance is a typical example. By giving the
essential financial backing to be used to deal with
the occurrence of a risk, an insurance policy may
help offset the cost of a risk

Balancing Cost and Impact of Security With
the Reduction in Risk
(Continued)
• Maintaining the currency of risk countermeasures is the second problem. Once defined
and planned, it is essential that they are not merely put on the shelf to await the risk
arising
• The world around us changes, so the countermeasures may not be valid, or their efficacy
or cost may change as time goes on
• Risk management and the preservation of the consequential actions taken is a
continuous and iterative process that must not be permitted to whither through lack of
action or a misplaced belief that the situation will not alter

Information Security as Part of Overall
Company Security Policy
• Assurance or security is not an add-on; it is not possible to deal appropriately with
assurance by considering it as an additional expense to be avoided if at all possible
• The most efficient way to deal with it is to involve it from the beginning in all areas of the
organisation
• To this end, the assurance inclusion as part of the operational policy of the organisation
is the only cost-effective method of covering the issues appropriately
• There are apparent similarities among information assurance and health and safety
issues

Information Security as Part of Overall
Company Security Policy
(Continued)
• The battle for a secured working environment has been lost as soon as health and safety
are seen as one person’s problem
• Similarly, assurance is not the concern only of the information security manager, but of
the entire organisation
• It is necessary also that this involvement is from the top of the organisation to the
bottom. Just implementing IA at the middle management or on the shop floor is
meaningless and will surely lead to further assurance issues
• Senior management has an important role to play to assure that they engender a
working environment where IA is the norm and accepted by all

The Need for a Security Policy and Supporting
Standards, Guidelines and Procedures
• Having only a policy for information security or
information assurance on its own is meaningless
• It must be supported entirely by the guidelines of
how to do things correctly, a range of other
documentation including the standards expected,
and procedures for what must be done to preserve
the information assurance in question
• This documentation must be comprehensive but
digestible, something that can be read quickly and
something they will truly read

The Need for a Security Policy and Supporting
Standards, Guidelines and Procedures
(Continued)
• It is an excellent practice to make sure that any procedures to be followed are in detailed
and an easily digestible format, perhaps as checklists for operators or support
technicians, or as desk cards or prompts for users
• However, this is not only about computers, but it must be remembered
• For instance, procedures are also needed for the management of physical assets such as
filing cabinets, involving how they must be cleared before their disposal to evade the
inadvertent inclusion of a confidential file for the second-hand filing cabinet marketplace

The Relationship with Corporate Governance
and Other Areas of Risk Management
• In recent years the advent of some very-high-profile commercial, criminal studies have
resulted in higher stringent and invasive legislation about risk-taking in companies. It is
no longer beneficial or acceptable to delegate the responsibility for risk management
which is down to the manager of the IT section
• The implementation of effective IA should lies at the core of each organisation
regardless of their size, business or sector. Properly implemented, the information'
secure management can ensure that risk is being managed effectively in that area at
least and can form the firm foundation for further risk management in related areas
• Suppose all information is covered by the measures implemented, in that case,
operational, the financial, intellectual property rights and an entire range of other risk
areas can be managed by the establishment of a single framework

Security as an Enabler; Delivering Value
Rather Than Cost
• In the information economy in which we all now live, the cost of the loss, non-
availability, corruption or unauthorised release of information could be very high
• The effective implementation of IA measures can have a very advantageous effect on the
potential costs of such events
• Therefore, for the effective management of information, it is easy for developing a
compelling and convincing business case through the use of an approved standard and
related processes
• While it may not be possible for eradicating the risk, it must be possible for ensuring at
least that the probability of the risk occurring is significantly decreased or in terms of the
business impact, the effects of the risk materialising are reduced considerably

Question 1
Qus 1: If the accuracy of information is a major concern, which of the following would
reflect that this is covered effectively?
A. Confidentiality
B. Integrity
C. Availability
D. None of these

Question 2
Qus 2: When a user logs onto a computer system and is asked for their mother’s maiden
name, which of the following aspects is the system ensuring?
A. Accountability
B. Authorisation
C. Authentication
D. Applicability

Question 3
Qus 3: ISO/IEC 27001 is an international standard for information security. Which
organisation is responsible for its maintenance?
A. The British Standards Institute
B. The government of the country in which it has been implemented
C. The European Union Standards Committee
D. The International Organisation for Standardisation

Question 4
Qus 4: How should the implementation of an information assurance system be seen
within an organisation?
A. As a problem for the IS department only to sort out
B. As a problem on which the senior managers should make a decision, but then leave to
others to deal with
C. As a whole-organisation issue
D. As an issue where outside expertise is the best solution

Question 5
Qus 5: How should the use of an international standard for information security be
viewed by senior managers within an organisation?
A. As a good idea if there was the right business environment in which to implement it
B. As implementing best practice
C. As overkill, unless there are very serious problems with assurance
D. As the pet idea of the IT director, who thinks it will look good to shareholders in the
next annual report of the organisation

• Module 1: Threats to, and Vulnerabilities of Information Systems
• Module 2: Risk Management

Module 1: Threats to, and Vulnerabilities
of Information Systems

Threat Intelligence and Sharing
• One of the intelligence sharing's greatest challenges
is that businesses do not know how sharing any of
their network data will strengthen their security over
time. There is a fear that if you have something open
to disclosure, it makes you inherently more
vulnerable, similar to the early days of open-source
software
• Though as open-source ultimately proved, more
individuals cooperating in the open can lead to
several positive results, involving better security. The
other major challenge is that blue teams do not have
the illegal luxury of sharing threat intelligence with
heedless abandon: we have legal teams

Threat Categorisation (Accidental and
Disasters, Internal and External)
Accidental and Disasters
• Accidents and disasters may cause problems related to information for companies
• Most of these will be accidental and will involve natural disasters such as landslides,
floods, earthquakes and tsunamis, though it can also involve environmental disasters
such as chemical leaks and explosions
• Sometimes accidental threats are referred to as hazards, particularly when related to
external events
• The implications are that there has been no intentional effort to carry out the threat – it
has merely occurred

Internal and External
• Internal threats happen when someone
has authorised access to the network
with either an account on a server or
physical access to the network
• A threat can be internal to the company
as the result of the failure of a company
process or employee action

(Continued)
• External threats can occur from people or companies operating outside of a company.
they don't have authorised access to the computer networks or systems
• The most apparent external threats to the resident data and computer systems are
natural disasters such as hurricanes, floods, fires and earthquakes
• External attacks happen through partner networks, connected network or a physical
intrusion

Types of Accidental Threats
Accidental Threat
• Accidental threats are the circumstances in
which data loss or damage occurs as a result of
an insider who has no malicious intention
• For instance, a significant file can be accidentally
deleted by an employee, fall victim to a phishing
attempt, or accidentally share more data with a
business partner than is constant with legal
requirements or policy of the organisation

Types of Accidental Threats
• The following are the most common cause of breaches because of Accidental Threats:
1
2
3
4
5
Weak
Passwords
Password
Sharing
Unsecured Wi-Fi
Unlocked Devices
Phishing
Attempts

Types of Deliberate Threats
• Deliberate threats to information infrastructure are of several types:
1 2
3 4
5 6
7 8
Espionage Or Trespass
Sabotage Or Vandalism
Identity Theft
Supervisory Control and Data
Acquisition (SCADA) Attacks
Information Extortion
Theft of Equipment Or
Information
Software Attacks
Cyberterrorism And
Cyberwarfare

1. Espionage or Trespass: When an unauthorised person tries to obtain illegal access to
the organisational information, then espionage or trespass occurs. Differentiating
between competitive intelligence and industrial espionage is essential. Competitive
intelligence includes techniques for legal information-gathering, such as attending
trade shows, studying the website of the organisation and press releases etc. Industrial
espionage, in contrast, crosses the legal boundary
2. Information Extortion: Information extortion happens when an attacker either
threatens to steal information from an organisation or steals it. For not stealing the
information, returning stolen information, or agreeing not to reveal the information,
the perpetrator demands payment

3. Sabotage or Vandalism: Sabotage and vandalism are deliberate acts which include
defacing the website of a company, probably damaging the reputation of the company
and causing its clients to lose trust. Hacktivist or cyberactivist is one kind of online
vandalism operation
4. Theft of Equipment or Information: With vastly enhanced storage, storage devices and
computing devices are becoming smaller yet more powerful. Consequently, these
devices are becoming simpler to steal and easier for attackers to utilise for stealing
data. The practice of rummaging by residential or commercial trash to find information
which has been discarded is one type of theft, known as dumpster diving. In dumpsters
paper files, emails, memos, photos, IDs, passwords, credit cards, and other types of
information can be found

5. Identity Theft: Identity theft is the deliberate assumption of the identity of another
individual generally to obtain access to his/her financial information or frame him/her
for a crime. Methods for illegally gathering personal information involve: stealing mail
or dumpster diving; infiltrating companies that store huge amounts of personal
information; stealing personal information in computer databases; impersonating a
trusted company in electronic communication (phishing)
6. Software Attacks: From the initial years of the computer era, when attackers utilised
malicious software for infecting as many computers worldwide as feasible, software
attacks have developed. To make money, modern cybercriminals utilise blended,
sophisticated malware attacks, usually through the Web

7. Supervisory Control and Data Acquisition (SCADA) Attacks: SCADA is a large-scale,
distributed measurement and control system. SCADA systems are utilised to control or
monitor physical, chemical, and transport processes such as water, oil refineries, and
sewage treatment plants, nuclear power plants, electrical generators
8. Cyberterrorism and Cyberwarfare: Cyberwarfare and cyberterrorism are malicious
actions in which attackers typically to carry out a political agenda, use the computer
systems of a target, especially through the Internet, to cause physical, real-world harm
or serious disruption. These actions vary from collecting data for attacking crucial
infrastructure

Threats from the Dark Web and
Vulnerabilities of Big Data and the IOT
Dark Web
• The web is divided into three sections; the surface, the deep, and the dark web. The web
that we regularly surf is known as surface web, and it is accessible to the common
public. The deep web is internet resources which are behind a paywall, blocked from
indexing or need authentication for accessing such as your online bank account
• The dark web is a part of the internet which needs specialised software like the Tor and
the i2p project to access them. The dark net has various layers of encrypted resources
which mask the identity of its users. Regular search engines cannot access or reach this
specific online space

Effects
• The influence of the dark web can be far-reaching.
For some companies, the dark net just became a
reality after an attack was discovered or data leak
• The dark web not only causes financial loss to your
business though reputation also damage
• A challenge, a company may face is not knowing
when cybercriminals are trading its private data

What is Sold?
Login Credentials Financial Records
Trade Secrets and
Formulas
Medical Records Credit Card Research Data

IoT Vulnerabilities
• There are various attack vectors associated with the
Internet of Things devices. Since most of them are
Cyber based, it is thus quite challenging to manage
and secure an overall IoT infrastructure
1. A Shaky Web Interface: Many devices and gadgets
have a built-in web server which hosts a web
application to manage them. Like any
webserver/application, there may be defects in the
source code which cause the interface to be
vulnerable to an attack based on cyber

2. Improper Usage of Authentication or Authorisation Mechanisms: Usually, in IoT
devices, there are flaws in the execution of the authorisation or authentication
mechanisms. It gets more serious when the security features which are given in the IoT
devices are not used by the customers to their fullest extent feasible
3. Insecure Network Services: IoT devices have tools for testing and diagnostics, along
with services such as debugging. These “maintenance” services have probably been
lightly tested, making them possible to have exploitable source code behind them.
Alternatively, more characteristics mean more security imperfections in the IoT devices
and their respective infrastructure

4. An absence of Transport Layer Encryption: Anybody can read your data if your IoT
device sends private data over an unsafe protocol. It only underscores the significance
have secure communications protocols with these devices
5. Privacy Issues: If the data is not encrypted on the IoT device, and other people have
access to it, it makes your data vulnerable for converting theft and hijacking
6. Unreliable Cloud Interface: Various IoT devices can connect to the Cloud. Hence,
having a Cloud-based management interface depicts yet another possible security
vulnerability. Thus, an on-device management interface is complicated for a remote
attacker for accessing as it is behind the home firewall or router

Challenges/Issues in Big Data Security
• As big data is likely to attacks by hackers; hence the data
professionals require to play an active role in giving data
security. The increase in third party applications and
bring your own device have given rise to more concerns
correlated to big data security
• Big data depends on cloud storage, though it is not just
the cloud that has induced security issues, third party
applications can easily introduce risk in the company
network when security measures are not up to the
established standards and policies of the government

• The following are some of the apparent data security issues which should be considered:
Access Authentication
Data Security
Data Mining
Intrusion Detection and Prevention
01
02
03
04

(Continued)
Protect Communications
Key Management
Storage
Real Time Data Security Monitoring
05
06
07
08

Sources of Accidental Threat
Insider Threat
• Usually, An Insider Threat is a person who uses the access they've been granted to the
resources of a company to cause harm to the business. Although associating threat with
malicious intent can be tempting, the fact is that majority of insider threats come from
negligent insiders vs malicious insiders
• There are two types of insider threat:
Negligent Insider
2
Malicious Insider
1

Sources of Accidental Threat
1. Malicious Insider: A Malicious Insider is a person who intentionally steals data from a
company or doing an activity with the intent to cause harm to the company. Generally,
it is someone who has legal network access and abusing that access for personal
satisfaction or gain. For these hackers, usual goals and drivers involve: Financial Gain;
Personal Vendetta; Intellectual Property theft; Espionage on behalf of a diverse
organisation
2. Negligent Insider: A Negligent Insider is someone who accidentally compromises data
or puts the company at risk because of insecure behaviour. This not just involves direct
employees of a company, however, also implements to contractors and third-party
vendors. Instances of insecure behaviour involve: Emailing the wrong individual
sensitive information; Falling victim to a phishing attack; Losing a laptop; Circumventing
security policy or utilising bad judgement while accessing resources of the organisation

Vulnerability Categorisation
• Vulnerabilities of IT systems come into two different categories information-specific
vulnerabilities and general vulnerabilities
o General vulnerabilities: It involves basic weaknesses in software, facilities or
buildings, hardware, processes, people, and procedures
o Information-specific vulnerabilities: It involves unsecured computers, consisting
personal computers, memory sticks and hand-held devices, unpatched operating
systems and applications, servers, unsecured wireless systems, unsecured network
boundary devices, unsecured email systems, unsecured web servers, unlocked filing
cabinets

Vulnerability Categorisation
(Continued)
• The vulnerability of information leakage from smartphones in recent times has become
broadly recognised, and many of the applications written for them enable others to
access not only the device’s store of information though also its metadata like the
location of the user
• The increasing utilisation of cloud-based services – whether for the platform as a service
(PaaS), infrastructure as a service (IaaS), or software as a service (SaaS) implies that
there exists the further probability of information leakage because of the vulnerabilities
in the cloud services themselves

Vulnerabilities of Specific Information System
Types
E-mail Vulnerabilities
• E-mail is one of the most popular delivery ways for worms, virus, Trojan and other
malicious code they also have a few additional abilities such as auto-download feature,
the auto-execute feature has transformed hyperlinks in the content of e-mail and
attachment into a severe threat to every system
• The protocol used in e-mail infrastructure is not safe. As they don't support encryption,
they transfer mail in plain text
• E-mail is also vulnerable to spoofing. In spoofing, the attacker sends an e-mail with a
victim e-mail id

Types
(Continued)
• Apart from that e-mail itself can be utilised as an attack. For instance, In Denial of
Service (DOS) attack individual user sends an immense number of messages to a victim
inbox which results to eradicate their e-mail account or does permit to get any message,
this process is also recognised as e-mail bombing
Secure your Email
• The essential thing for secure your e-mail is to maintain the confidentiality of the
message being exchanged. It is possible by the use of security protocol some are: MOSS,
S/MIME, PGP and PEM

Types
1. S/MIME: Secure Multipurpose Internet Mail Extension: In order to Secure
Multipurpose Internet Mail Extension is a security protocol which offers both
authentication and confidentiality of e-mail via public-key encryption and digital
certificate
2. MOSS: MIME Object Security Service: It gives authentication, confidentiality, and non-
repudiation of the e-mail message. Non-repudiation is an essential concept which
states sender cannot deny that he does not send a message as it gives the guarantee
that the sender cannot deny it later. MOSS utilise diverse algorithms in order to provide
confidentiality and authentication. A Few algorithms are message digest 2, message
digest 5, data encryption standard for providing confidentiality and authentication

Types
3. PEM: Privacy Enhanced Mail: It is a mail encryption
mechanism which uses RSA, X.509, and Data
Encryption Standard for integrity, authentication,
and confidentiality
4. PGP: Pretty Good Privacy: PGP uses various
encryption algorithms and public-private key
cryptography to encrypt e-mail and securely sends
a message. The initial version utilises RSA (Rivest,
Shamir, Adleman) for encryption, but later it
offered various other options as well

Types
Network Vulnerabilities
• Network vulnerabilities are flaws or loopholes in software, hardware, or processes which
can threaten your usual network functioning.
• Vulnerabilities put your business, and the sensitive data of your client at risk leads to
easy entry for hackers, reputation loss, diminished sales, and penalties
• Network vulnerabilities can be broken down into firmware, hardware, software, and
human vulnerabilities. If any of these entities aren't managed properly, your network
will be easy to break into

Types
Causes of Network Vulnerabilities
• Numerous organisations include vulnerabilities
and loopholes
• Devices which are outdated or nearing the end
of service can make it easy for exploiters to get
their hands on internal information and
essential data
• Moreover, your network could be at risk if you
are not up-to-date with patching

Types
(Continued)
• List of common causes of Network Vulnerabilities are as follows:
Weak passwords
Unauthorised/excess
access
Unsecure backup
methods
Poor user tracking SNMP community

Types
Web Server Vulnerabilities
• A web server is a program which stores files and makes them accessible through the
internet or the network
• A web server needs both software and hardware. Usually, attackers target the exploits in
the software to obtain authorised entry to the server. Few general vulnerabilities that
attackers take benefit of
o Default Settings: For example, attackers can easily guess the default user id and
passwords. Default settings might also permit performing specific tasks like running
commands on the server, which can be exploited

Types
(Continued)
o Misconfiguration of Networks and Operating Systems: Specific configuration such as
permitting users for executing commands on the server can be hazardous if the user
does not have a good password
o Bugs in the Operating System and Web Servers: Discovered bugs in the web server
software or the operating system can also be exploited for gaining unauthorised access
to the system
o Lack of Security Policy and Procedures: Lack of a security procedures and policy like
updating antivirus software, patching the web server software and operating system can
create security loopholes for attackers

The Contribution of Threats, Vulnerabilities
and Asset Value to Overall Risk
Threats
• A threat is an incident which is new or newly discovered having the potential to harm a
system or your organisation
• The following are the three types of threats:
•Such as floods, hurricanes, or tornadoes
Natural Threats
•As an employee mistakenly accessing the wrong
information
Unintentional Threats
•Like spyware, malware, adware companies, or the
actions of a disgruntled employee
Intentional Threats

The Contribution of Threats, Vulnerabilities
and Asset Value to Overall Risk
Vulnerability
• A vulnerability is an asset’s known weakness (resource) that one or more attackers can
exploit. In other words, it is a known problem which enables the attack to succeed
• For instance, when a team member resigns, you forget to change logins, disable their
access to external accounts, or remove their names from credit cards of the company. In
this case, it leaves your business open to threats which are both deliberate and
unintentional
• Most vulnerabilities, however, are exploited on the other side of the network by
automated attackers and not by human typing

Types of Impact
1. Operational Loss: It refers to damages of the operating ability of a company. It involves
a loss of service availability, manufacturing output, and service data. For instance, a
business whose operations depend on IT systems can be prevented from performing
any work because of cybersecurity threats. Even on the manufacturing line, the
machinery which produces the products will get its instructions from computers which
could be taken offline because of some threat
2. Financial Loss: It refers to damages to the wealth of a company. It involves
organisational losses, legal fees and compensation. Financial loss is the actual raised
costs or lessened income, caused by the threat. This could be replacing damaged
equipment from loss of the sales or sabotage because of your website being down
from a malicious hack
Impact Assessment of Realised Threats

3. Reputation Loss: It refers to the loss of faith and lowered view of individuals to a
business as a consequence of them being influenced by a threat. It could be a lack of
employees or customer information or service .The lack of service is because of clients
who no longer want to do business with a company due to the concerns over whether
the service will be available. If you subscribed to a website and their services usually
went down because of the cybersecurity threats, it would simply lead to questions
regarding proceeding to utilise it
4. Intellectual Property Loss: Intellectual property losses is that when trade secrets or
product designs are stolen, hence adversely influencing the company. It may be
performed by a competitor company as corporate espionage, or a person who wants to
blackmail the company or release it. For instance, the theft of product designs could be
utilised by a competitor in order to release a rival product. Stolen trade secrets will
have nearly the same impact as a competitor stealing the formula for a product so they
can then make it themselves
Impact Assessment of Realised Threats

Risk Management Process
• Risk management includes different areas:
o Context establishment
o Risk assessment Risk treatment
o Communication and consultation
o Continuous monitoring and review
• Risk assessments may take place at various levels, such as across a business system or
process, corporation or a physical location
• While these are very diverse kinds of risk assessment, the manner in which they are
carried out and how the outcomes are utilised are basically the same

(Continued)
Context Establishment
• The process begins by understanding what the information assets of the company are
and how they fit into the overall model of the business
Risk Identification
• Recognising the threats is one way to begin a risk management exercise. It should be
carried out according to the understanding of any known vulnerabilities
• For instance, the operating system and web server software vulnerabilities should be
deemed, if the assessment looks at the threat of feasible hacking attacks on a web
server

(Continued)
Risk Analysis
• After identifying the effect or effects of every threat, the next step is to evaluate the
probability of each occurring
• It is tempting at this stage for assuming that as the system may be completely up to date
with its security patches, there is a low probability of a threat being realised
• Though, it should be remembered that it is a continuous work, and if the patching falls
behind, the possibility of an attack being successful will raise
• It must also be remembered that new vulnerabilities are continuously being discovered

(Continued)
Risk Treatment
• Having decided from a product of the risk matrix, the priorities in which to treat the risks
recognised, the risk treatment plan should be produced. It will be dealt with in greater
detail and allows for four basic choices using which are usually recognised as strategic
controls:
o For avoiding or terminating the risk entirely often by not doing something which may
incur an unacceptable risk level;
o Reducing or changing either the probability or the effect of risk typically through
some forms of risk mitigation;

(Continued)
o For transferring or sharing some parts or all of the risk, for instance, by protecting
against the eventuality;
o It is a common choice for accepting or tolerating risk when the assessed level of risk
is low
Communication and Consultation
• It is important during the whole risk management process, those who are conducting
the work should maintain good interactions with other parts of the company,
particularly those who are liable for the assets in question and who may ultimately own
the obligation of agreeing on the form of risk treatment, managing the work to
completion and funding the required work

(Continued)
Monitoring and Review
• The ultimate stage of the risk management process is to monitor the outcomes of risk
treatment. Depending on the type of threat, the frequency of this phase can differ.
• Some threats can change very rapidly and will need monitoring at more frequent
intervals. On the other hand, others will change little over long time periods and require
only occasional monitoring
• The overall risk management process needs to be repeated over time, because some
threats might entirely disappear, and new threats might arise. Again, the interval would
rely on the company's risk appetite and may well be documented in a risk management
policy document or strategy

• Once an organisation understands the amount of risk it is faced with, it must decide how
to manage it. There are four primary methods of dealing with risk: transfer it, avoid it,
reduce it or accept it
• Various types of insurance are available to organisations for protecting their assets. If an
organisation decides that the residual or total risk is too high to gamble with, it can buy
insurance, which transfers the risk to the insurance company
• The risk is decreased if the company implements countermeasures. If management
decides that the action which is incurring the risk doesn't have a sturdy business case for
its existence, then they can decide to stop the activity altogether. It is referred to as
evading the risk
Strategic Options for Dealing with Risks and
Residual Risk

(Continued)
• There is an essential differentiation among residual risk and total risk, and which type of
risk an organisation is ready to accept. The following are conceptual formulas:
• The vulnerabilities and threats are recognised during a risk assessment. The likelihood of
a vulnerability being exploited is multiplied by the assets' value which is being assessed,
which results in the total risk
Strategic Options for Dealing with Risks and
Residual Risk
threats x vulnerability x asset value = total risk
(threats x vulnerability x asset value) x controls gap = residual risk

Tactical Ways in Which Controls May be Used
Tactical Risk Management controls are classified into of four types:
1. Detective Controls: Detective controls are those which are created to recognise
information security events, such as intrusion detection systems
2. Preventative Controls; Preventative controls are those which are created to stop an
incident from taking place; for instance, the configuration of firewall rules which
restrict users from accessing banned websites
3. Corrective Controls: Corrective controls are those which, having recognised an
information security incident, will make suitable alterations to assure that it doesn't
cause an impact. For example, a corrective control is anti-virus software, which has
recognised a virus would block it and perhaps remove it to prevent the virus from
promulgating further

4. Directive controls: Directive controls are those which are designed to inform users
about things they may and may not do
• An instance of this would be a clause written into an employment agreement which
dictates fair utilisation of the internet and makes explicit the feasible fines for violation

TIME
Deterrent
Controls
Directive
Controls
Preventative
Controls
Compensating
Controls
Detective
Controls
Corrective
Controls
Recovery
Controls
Incident
Shown On an Incident Timeline
Applicable Types of Control:

Operational Types of Controls
• The operational control are of three types:
o Physical controls placed some kind of device among the assets of the organisation
and potential intrusion; for instance, securing access to limited areas like data
centres using a card or token-based access control system.
o Procedural controls are designed to guide users in an accurate way of undertaking
their work; these may involve process and procedure documents, guidelines,
standards and regulations
o Technical controls are based on both hardware and software solutions to assure that
risks are decreased or evaded, and these may include intrusion detection systems,
firewalls and activity logging

Identifying and Accounting for the Value of
Information Assets
• Prior to carrying out some risk assessment on the information of a company, it is evident
that each of these 'information assets' must be recognised and documented in a BIA
• Most of the information to do this will arrive from the questionnaires, so it will be
helpful to note who is liable for gathering and storing the information the data, where it
is held, when and how it is utilised and backed up, and so on
• On occasion, the individuals themselves could be deemed an information asset, for
instance, if they have unique skills or knowledge in the company or they are the only
source of business-critical information
• The value of all these information assets will rely upon its function, how long the
business can manage without it, how complex it would be to restore or recover or how
often the information changes

Principles of Information Classification
Strategies
• Principles of data and information classification:
Risk Management Approach
Content-driven, Technology-neutral Approach
Proportionality
Clear Roles and Responsibilities
Openness, Transparency and Societal Values
Principles of
Information
Classification
Lifecycle Approach

Strategies
1. Openness, Transparency, And Societal Values: The classification should be used with
care and according to the data's sensitivity, value, and criticality. Access restrictions
should only be selected in the situations where disclosure of information can be
harmful to the legal responsibilities and legitimate interests of the company itself, its
employees, or third parties
2. Content Driven, Technology Neutral Approach: Information should be categorised,
based on its contents and the risks associated with the agreement of the content,
regardless of its format, origin or media

Strategies
3. Risk Management Approach: In accordance with the level of sensitivity, value and
criticality of the information, information protection should be afforded; it is commonly
done in a graded approach on the basis of levels corresponding to the risk and value. A
protection level restricts the set of risk reduction measures to an acceptable level, i.e.
the potential severity and possibility – that information is compromised
4. Proportionality: Information shall be classified to a suitable level that should be
considered as low as feasible, though as high as required

Strategies
5. Clear Roles and Responsibilities: Policy and processes for information security in the
company should be assigned for information classification and upheld through
management awareness and commitment to information security
6. Lifecycle Approach: The classification system should have consideration for account
information during its lifecycle as part of the information management system: from
creation or receipt, storage, retrieval, transfer, modification, copying, and transmission
to destruction. In addition, the information management or data processing policy of a
company should not be written in stone but regularly assessed for ensuring that it
meets the organisation's needs and expectations

The Need to Assess the Risks to the Business
in Business Terms
• Although carrying out risk assessments is very straightforward (after some practice),
there will be a great temptation to define and document these in the risk management
terminology
• It is good while discussing the assessments by like-minded or similarly experienced
individuals; however when it comes to selling the idea back into the business, then this
terminology may not be well known if individuals are unfamiliar with the jargon
• Terminology which is unfamiliar to the recipient may reduce the efficacy of the risk
assessment and will make it harder to persuade the reader that suitable action should be
taken

Balancing the Cost of Information Security
Against the Cost of Potential Losses
• When the outcomes of risk assessments have been made available, there will be
suggestions as to how to decrease the risks of higher-level
• While the company would not anticipate a detailed cost estimate to carry out the
remedial work at this stage, it would be reasonable to have a rough idea at least of the
possible expenditure order, resources needed to undertake the work and the estimated
timescales
• In this way, it is feasible for presenting the outcomes of the risk assessments in a more
balanced way so that the decision-makers can take a more objective view

The Role of Management in Accepting Risk
• The option for accepting risk may sound an easy one to take; however, it isn’t something
which should be done lightly. Several companies are unable to distinguish among
ignoring risk and accepting risk
• If the suggestion is to accept a risk, the decision to do it should be a conscious one and
must be thoroughly documented. For a single manager, it is common practice to sign off
a risk
• When the effect is high, it is better to practice to have a second manager sign off,
preferably one who is more remote from the risk itself though nonetheless one who has
a good knowledge of the possible effect of the risk materialising
• For instance, if a production manager signs off the risk of having only one machine of a
specific kind, a manager from a completely diverse discipline should counter-sign the
risk to give an objective confirmation that acceptance is in order

Contribution to Corporate Risk Registers
• Risk registers are a necessary part of the overall risk management process, and they
attain many objectives:
o They allow all risks recognised in the risk assessment process to be documented
formally, sometimes in a legal necessity
o They permit an authorised observer such as an auditor to have visibility of the effect
and probability of the risk and to assess the suitability of the responses selected and
every associated detail
o They enable continuous monitoring of the risk status, and on the progress of risk
reduction, it can be used as management reports

Contribution to Corporate Risk Registers
(Continued)
• A risk register should include as a minimal:
o Its assessed possibility and impact
o The details of the threat
o The overall risk evaluation calculated from these
o The suggested treatment (tolerate or accept, cancel or avoid, modify or reduce,
share or transfer) and the actual actions to be taken

Question 6
Qus 6: What are the four types of strategic risk treatment that can be used?
A. Accept, transfer, ignore, control
B. Avoid, ignore, transfer, mitigate
C. Accept, avoid, reduce, transfer
D. Reduce, transfer, mitigate, control

Question 7
Qus 7: A business impact analysis considers which of the following?
A. The consequences of a threat being carried out
B. The likelihood of a threat occurring
C. The likelihood that a vulnerability will be exploited
D. The probability that losses might result from an incident

Question 8
Qus 8: A risk assessment is designed to achieve which of the following?
A. To identify the likely impact if a vulnerability is exploited
B. To identify the degree of likelihood that a vulnerability will be exploited
C. To identify the likely impact if a threat occurs
D. To identify the degree of likelihood that a threat will occur and its likely impact

Question 9
Qus 9: Which of the following is NOT a threat?
A. Failure of the local mains power supply
B. An easily guessed password
C. A transmission circuit cable break
D. Flooding of a data centre

Question 10
Qus 10: Once the key risks have been assessed, what action is unacceptable for very low
risks?
A. They can be ignored
B. They can be accepted
C. They can be treated
D. They can be terminated

Framework

• Module 1: Organisation and Responsibility
• Module 2: Organisational Policy, Standards and Procedures
• Module 3: Information Security Governance
• Module 4: Information Security Implementation
• Module 5: Security Incident Management

• Module 6: Legal Framework
• Module 7: Security Standards and Procedures

Module 1: Organisation and
Responsibility

The Organisation’s Management of
• Establishing an organisational structure to manage
information assurance that provides a framework
to make sure that the assurance requirements of
the enterprise are understood and allocated the
responsibilities suitably across the enterprise to
attain this
• Accountabilities must be clearly defined, whether
on a local basis or at an enterprise level, and
assurance activities need to be coordinated
properly across the organisation to assure that
they are being managed efficiently

Information Security Roles within the
Enterprise
• There should be a nominated resource within the
organisation that has the responsibility for managing the
issues of information assurance regularly
• This is to assure that practice of good information assurance
is applied correctly and efficiently across the enterprise and
for co-ordinating all activities of assurance
• In larger organisations, this function should be a full-time
role and the manager of this function is frequently referred
to as the information security manager, the head of
information assurance, the Chief Information Security
Officer (CISO)

Placement in the Organisation Structure
• Placement of the several assurance roles in an
organisation will generally depend on the structure, the
specific needs and the culture of the enterprise
• Hence, there are no definite hard and fast rules as to
where the roles should sit particularly, how they should
be organised or what their scope should involve
• In some firms, the information assurance function is
located in the corporate compliance area
• This is general in enterprises or industries that have a
robust compliance culture, like manufacturing or banking

Placement in the Organisation Structure
(Continued)
• In the firms, the function is based on the IT group because several of the controls to
defend the enterprise are dependent on the technology of computer
• Sometimes, the function can be placed in a group of central facilities since assurance
obligations often span several management areas inside an enterprise
• To work efficiently, reporting structures should contain dotted line obligations to roles
involving, but not limited to, the (SRO) senior responsible owner, the (CRO) chief risk
officer, (CIO) chief information officer, (SIRO) senior information risk owner and the
(CFO) chief finance officer

Senior Leadership Team Responsibilities
• In an organisation, one senior person should be given the whole responsibility for
guarding the assurance of the firm’s information assets and be formally held responsible
• A board member or equivalent should perform this role to demonstrate the
management commitment of enterprise to information assurance
• In some organisations, the equivalent or the CISO is a board member
• The key responsibility of this person is to make sure that suitable assurance controls are
executed across the enterprise and to:
o give a single point of accountability for information assurance;

Senior Leadership Team Responsibilities
(Continued)
o make sure that assurance goals are recognised and meet the requirements of the
enterprise
o make sure that appropriate assurance resources are made available to protect the
enterprise to an acceptable and agreed risk level
o assign particular assurance responsibilities and roles across the enterprise
o give a commitment, clear direction and visible support for assurance initiatives, for
instance by approving and providing sign-off for high-level security policies, requisite
architectures and strategies

Responsibilities Across the Wider
Organisation
• Attaining good information assurance needs teamwork and a wide variety of skills
ranging from managerial to administrative and technical
• It is not likely that any one person would have all the necessary skill sets or even the
time for performing everything that is needed; hence, roles should be delegated to the
particular individuals or suitable teams with the required skills
• For example, the skill sets needed for maintaining anti-virus systems of an enterprise are
diverse from those required for administering user identities
• All those included needs to have a proper understanding of responsibilities and be given
explicit support and direction from senior management to attain what is required of
them

Statutory, Regulatory and Advisory
Requirements
• External factors can affect how an enterprise’s information assurance should be
managed, and need to understand these requirements so that the suitable assurance
controls can be adapted to allow the business to fulfil its accountabilities
• These necessities can come from a variety of organisations such as the government,
police, trade regulatory bodies, utility companies or telecommunications suppliers. They
may be regulatory, statutory or advisory
• Statutory necessities are defined as legal requirements that must be fulfilled
• Privacy legislation like GDPR will influence how information is managed and stored in the
enterprise and how resources are deployed to assure that the enterprise complies with
this legislation

Statutory, Regulatory and Advisory
Requirements
(Continued)
• Frequently, Regulatory obligations are imposed by trade bodies, and these define how a
firm should operate to conform to specific standards
• Although they are not legal responsibilities, regulatory bodies have extensive powers,
and failure to comply could lead to feasible fines or, in extreme cases, exclusion from
trading in a specific environment
• The finance sector is an excellent instance of this as it manages strict controls to prevent
financial malpractices such as money laundering or fraud – official bodies, such as the
Financial Conduct Authority (FCA), have far-reaching powers

Provision of Specialist Information Security
Advice and Expertise
• Those included in the security function must give specialist security information advice
and expertise to the enterprise
• A high degree of present knowledge on matters of information assurance should be
maintained on topics like awareness of industry trends, changes to the threats of the
organisation, analysis of risk, new control measures, legislation and compliance needs
and the most recent technological developments
• It is a continuous process. It is not essential to have all the answers, but it is necessary to
be in a position to understand where to find this information or to have access to
someone with this expert knowledge as and when required

Provision of Specialist Information Security
Advice and Expertise
(Continued)
• One method of attaining this aim is to keep in regular contact with special interest
websites and groups or by networking with information assurance peers in another firms
through a professional association or security forums
• The information regarding new technologies, products, threats and vulnerabilities or
how to tackle specific issues of assurance can be shared with one another, and usually, a
co-operative approach is useful in understanding and addressing these problems before
applying them to appropriate circumstances

Creating a Culture of Good Information
Security Practice
• Information assurance requires the collaboration as well as co-operation of everyone
with access to the information of enterprise
• Including everyone in the process of assurance will assist in developing a culture of good
information security practice
• A primary factor for success is assuring that everyone who accesses the information of
the enterprise understands what is expected of them
• Having in place clearly defined assurance obligations and roles, and standards and up-to-
date security policies and procedures will eliminate any obscurities

Creating a Culture of Good Information
Security Practice
(Continued)
• They should communicate clearly and be readily accessible
• Education is also acting as a significant element to create a culture of good information
assurance practice
• If everyone knows the value of the enterprise’s information assets and how they can be
considered at risk, then they are far more likely to understand why these processes and
procedures are in place
• Day to day awareness campaigns started by the information security manager can assist
to strengthen this message

Module 2: Organisational Policy,
Standards and Procedures

Developing, Writing and Getting
Commitment to Security Policies
• In the organisation, for protecting the assurance of the organisation’s information assets,
one senior person should be given the overall responsibility and be formally held
responsible for ensuring that suitable security controls are implemented across the
business
• A working group should support this director for ensuring that sufficient assurance
measures have been put in place for protecting the organisation to an acceptable risk
level
• Including senior management will assist in endorsing the governance process, assure
that sufficient resources are made available, make sure that controls are implemented
efficiently and that any recognised security gaps are addressed

Developing Standards, Guidelines, Operating
Procedures
Policy
• A policy refers to a high-level statement of values, goals, and objectives of an
organisation in a particular area, and the general approach to attaining them. Although
they should be reviewed regularly, policies should hold good for some time as they
aren’t intended to give particular or detailed guidance on how to attain these goals
• For instance, a policy might say that every user is liable for making and maintaining their
system passwords even though it does not say precisely how to do this. Policies are
compulsory

Procedures
Standard
• A standard refers to that which is more prescriptive than
a policy. It quantifies what should be done and gives
consistency in controls which can be measured
• For instance, passwords should include a minimum of
eight characters, and it will be a mix of letters, special
characters, and numbers and be modified if
compromised or for another similar reason. Compliance
with standards is also compulsory. They must support
policy and state what ‘must’ be performed and how it
should be attained

Procedures
(Continued)
• Standards can be either general or technical, though they must always link to a
particular subject
Procedure
• A procedure is a collection of detailed working instructions and will describe when,
what, how and by whom something should be performed
• Again, they are obligatory and must support policies and standards of the enterprise

Procedures
Guidelines
• Guidelines are not compulsory but can give
direction, advice, and best practice in examples
where it is usually challenging to regulate how
something should be done
• Whether creating standards, policies, guidelines
or procedures, these documents should always
be explicitly written and to the point

Procedures
(Continued)
• A security policy is a strategic statement of the organisation’s approach to assurance and
sets out the formal organisational stance on assurance matters for everyone to see
• This security policy should include statements on:
o how the enterprise will handle information assurance
o the security of information assets according to their criticality
o the compliance with legal and regulatory responsibilities

Procedures
(Continued)
o the means by which users will be made aware of information assurance issues and
the process to deal with violations to policy and suspected assurance weaknesses
o the fact that this policy has the support of the board and chief executive
• As the relations with third parties can be quite different and extensive, any terms
connected with policies, procedures and standards may differ according to the nature
and type of the relation

Procedures
(Continued)
• Agreements with third parties should contain the enterprise’s assurance policy.
Generally, they should cover the following arrangements:
o Management of modifications to the application/facility/resource/service/
o Within the third party, the right to audit and monitor assurance arrangements
o Investigation and notification of assurance incidents and security breaches
o The timely sharing of relevant cybersecurity information and knowledge

Procedures
Policies
Standards/Baseline
Guidelines
Procedures
• The comparative relationships of Security Policy Components:

Balance Between Physical, Procedural and
Technical Controls
• Physical, technical and procedural controls (often termed operational types of control)
can offer very effective security mechanisms and do much to decrease the possibility of
incidents happening
• Though, they each have their limitations and occasions when their use is not suitable –
possibly their deployment would be far too expensive or complicated and provides the
perceived value of the information and the associated risk
• Users should access information systems to carry out their tasks, and this inevitably
introduces a risk level to the information

Balance Between Physical, Procedural and
Technical Controls
(Continued)
• They may require to share this data with external suppliers or colleagues and make value
decisions as to whether it should be released to them
• Reducing this kind of risk is hard to attain through only technical controls
• Technical controls defined by a documental security system, for instance, may well
provide a good security level
• However, there will always be exceptions, and these should be handled consistently by
having a process or policy in place

End-User Code of Practice
• The development of a high-level security policy must be enhanced by an end-user code
of practice or acceptable use policy that gives an easily accessible way of communicating
needs to end-users
• An acceptable use policy shows the organisation’s commitment to information
assurance and must be approved by the director accountable for information assurance
• It should be available to all users that have to access the organisation’s information
management systems and contain all employees (permanent and temporary, full- and
part-time), third parties and contractors
• The acceptable use policy should detail what is expected from users to secure the
information assets of the organisation

End-User Code of Practice
(Continued)
• The following are the elements included in the policy:
o assuring that user PINs and passwords are protected suitably, are not compromised
and are altered at relevant intervals;
o assuring that users merely access facilities, information, equipment for which they
have the designated business requirement and requisite authorisations;
o logging-off from systems while leaving a workstation unattended;
o locking away sensitive documentation and media when not in use (for instance, as
part of a clear desk policy);
o use of personal devices such as tablets and smartphones;
o assuring that all security incidents are reported

Consequences of Policy Violation
• Anyone accessing the information assets of the organisation requires to know what the
consequences of a policy breach are, and this should be clearly specified in the policy,
procedure or standard
• Suitable processes should be established for reporting and dealing with breaches so that
they are dealt with in a constant manner
• These processes should be documented and agreed with the appropriate stakeholders
when documents are created
• Violation of a policy may, in severe cases, lead to an employee disciplinary process being
instigated, termination of supplier contract or the requirement to report the behaviour
to the suitable law enforcement agency

Consequences of Policy Violation
(Continued)
• Therefore, the processes and rules should be agreed,
understood and placed effectively within the
organisation before violations may require to be
dealt with
• It is crucial to involve the legal departments and HR
in the development of such policies to assure the
proposed course of action complies fully with all
employment legislation and other appropriate
national laws

Governance

Introduction
• There is an increasing amount of regulation and
legislation which needs senior management to
assure that adequate controls are in place for
protecting the enterprise's information assets
• For fulfilling these obligations, senior management
requires to know the current status of existing
assurance controls, where such controls are
inadequate and how the organisation's risk profile is
changing
• The important effort can then be made for
improving security mechanisms and manage the risk
efficiently

Review, Evaluation and Revision of Security
Policy
• Reviews should take place after any crucial modifications to either resources or systems
or as part of a regular review schedule
• A management review process must be built for ensuring that policy reviews take place
in an organised and timely manner
• The review schedule should recognise every person to be involved and a formal record
kept of any revisions made with an explanation as to why content has been altered,
incorporated or eliminated
• Senior management should then approve the ultimate version of any amended
documentation

Security Audits and Reviews
• Audits and reviews offer an excellent chance to understand how great things are
working in the enterprise and gives senior management with valuable information on
the assurance to their environment
• Daily independent assurance audits and reviews should be carried out over the business
to assure that its information systems are compliant with the current security policies,
controls and standards
• To these systems, possible vulnerabilities can be reviewed, and the effectiveness of
existing controls can be tested
• Periodically the audits and reviews should be carried out or when a significant change
has happened

Security Audits and Reviews
(Continued)
• To introduce a measure of equality to the review, it should be taken out by an
independent party, which will also take to it a fresh set of eyes
• Ideally, a manager or a member of an audit team that has no conflict of interest in its
outcome could do this
• Alternatively, reviews can be taken out by a third party like a consulting company or an
external auditor
• It is often helpful to engage a company with specialist knowledge in areas like
penetration testing, in the case of technical reviews

Checks for Compliance with Security Policy
• Regular checks should be carried out to measure compliance with standards, security
policies and procedures
• Carrying out compliance checks assists in recognising whether controls are still adequate
and relevant
• Compliance checks also assist in assessing the level of user awareness and
understanding of their assurance responsibilities and whether or not these are being
considered seriously
• If regular checks are not carried out, then over time there can be a tendency for users to
give less regard for them

Checks for Compliance with Security Policy
(Continued)
• Assurance is weakened as the users become aware that monitoring does not take place
and that they are no likely to be challenged
• If an example of non-compliance has been recognised, then it is essential to discover
why this has occurred
• This could be due to shortage of training, misunderstandings or perhaps simple
disregard of procedures
• It may have resulted from a modification in business processes that have not been
identified in the assurance documentation

Reporting on Compliance Status
• The type of strategy deployed by the enterprise to reach their information assurance
compliance obligations will rely on the risk appetite of the organisation and the external
requirements placed on them
• The enterprise needs to understand what their particular obligations are so they can
implement the essential controls and reporting mechanisms
• In some situations, strictly specified governance requirements do apply, but most of the
enterprise ask to demonstrate that right information assurance controls have been
implemented

Reporting on Compliance Status
(Continued)
• Usually, regulators will want assurance that superior management is committed to
protecting the enterprise’s information assets, and understand the enterprise’s risk
profile and have executed controls to handle risk to an acceptable level
• Regulators will also need assurance that the controls in place are working efficiently and
that any gaps recognised are being addressed
• Senior management and any compliance or regulatory bodies want to have access to
enough information to be capable of demonstrating compliance

Implementation

Planning – Ensuring Effective Programme
Implementation
• Good preparation is the foundation of any successful
information assurance programme execution
• It can be used as a powerful tool to obtain assistance
from senior management and key stakeholders and
demonstrate how the assurance programme assists
in reducing risk in the firm. For further initiatives, it
builds support
• In order to have credibility, the information
assurance implementation programme has to be
realistic, be attainable and for addressing the
requirements of the enterprise accurately

Planning – Ensuring Effective Programme
Implementation
(Continued)
• The following are the main steps for developing an implementation programme and plan
to recognise:
o How the implementation programme will address risks in the enterprise and
decrease them to an acceptable level
o The possible benefits of undertaking the programme
o The controls or work streams that should be set up to attain this
o The effort's level that will be needed and from whom
o For each part of the programme who will be responsible
o The timescales and costs associated with the implementation
o How the progress will be tracked

How to Present Information Security
Programmes as a Positive Benefit
• An information assurance programme should be seen as delivering positive
advantageous to the enterprise
• Managing down information risk can bring about tangible advantages in terms of the
higher stability of information systems, and enhanced protection to sensitive
information
• These advantages can show the rest of the organisation that priorities of assurance are
aligned with the priorities of the enterprise

How to Present Information Security
Programmes as a Positive Benefit
(Continued)
• In order to support the programme, senior management requires to understand:
o the organisation is facing risks
o the cause and potential effects of these risks
o the advantages they will see from their investment
o where there may require to be changed to ways of working
o how they can sponsor or support the programme

Security Architecture and Strategy
• In information assurance implementation, there are
two concepts, i.e., Information security strategy and
architecture that have gained value and credibility in
recent years. An information security strategy is a plan
to take the assurance function in an organisation from
the reality of where it is now with all its problems and
issues, to an improved state in the future
• It gives a vision or road map as to how it can be
achieved and how it will help the organisation in the
future. Generally, a strategy must cover a period of
time where it is possible for implementing a significant
level of change but short enough to be able to predict
changes in technology and organisational objectives

(Continued)
• Typically, this is over a three- to five-year period
• An information security strategy has the components of an implementation programme,
but covers a more extended period and less detailed level, pitched at a much higher
• It should show how it will allow the enterprise to achieve its purposes and reserve it
against current and future threats. It must consider:
o The current state of assurance and the strengths and weaknesses of existing controls

(Continued)
o How the risk profile of the enterprise is possible to change in response to changing
business objectives and working practices;
o Trends in threats and vulnerabilities to possible types of incidents
o Expected developments in hardware and software
o Legal, compliance and audit needs and any anticipated changes
o Areas where cost savings can be made

Need to Link with Business Planning, Risk
Management and Audit Processes
• In the enterprise, the aim of an information assurance programme must be to decrease
information risk
• Information assurance implementation and planning processes should not work in
isolation
• In order to be efficient, an implementation programme should understand the business
objectives and goals of an enterprise so that it can recognise the suitable assurance
control measures for ensuring that the enterprise is sufficiently protected to meet these
goals

Need to Link with Business Planning, Risk
Management and Audit Processes
(Continued)
• Information assurance implementation programmes require to work closely with other
assurance processes and organisational for managing risk to an acceptable level
• The risk management process must give understanding and awareness of the risks faced
by the enterprise and recognise where risks are not being managed efficiently
• From risk assessments, the outputs must define what controls should be implemented
and assess how urgently they should be addressed

Module 5: Security Incident Management

Security Incident Management
• Security incidents not only affect the
confidentiality of data, but the impact can
equally relate to data availability or the
integrity or any other asset employed by the
organisation or provided by a third party (such
as cloud services)
• It is significant to have plans to deal with the
most likely possibilities before they occur
• Trying to think of and implement solutions
once the event is becoming problematic, will
take longer and riskier in terms of them not
working, not to mention bringing further costs

Security Incident Reporting, Recording and
Management
• A security incident response plan is defined as a set of instructions to assist the
organisation, and the incident response team in specific, respond to, to detect and to
recover from information security incidents
• The following are some types of plans that address issues:
o Malware outbreak
o DoS attacks
o The security incident at a third-party service provider upon whom the organisation
depends

Management
(Continued)
o Service outages
o An incident need notification of a regulator, for instance, ICO for loss of personal
data
• The first preference is to make sure that all the people within the organisation have
knowledge about how to identify an incident and know to whom they should report it
• This can be implemented in several ways including awareness training, the dedication of
a section on the company portal/intranet and by carrying out exercises

Management
(Continued)
• There are usually five phases included in the management of an incident:
Reporting
1.
Investigation
2.
Assessment
3.
Corrective Action
4.
Review
5.

Incident Response Teams/Procedures
• An incident response team (IRT) should be appointed upfront, and all members of that
team should be appropriately trained, briefed, and ready in how to use the plan
• The members require to come from a cross-section of the organisation for ensuring that
there is enough breadth of knowledge to deal efficiently with the situation
• They need to be senior and experienced enough to have the authority to make decisions
on the spot
• The IRT must also be empowered to call upon extra resources, external and internal, as
they see fit to use in solving the incident

Incident Response Teams/Procedures
(Continued)
• There requires to be a documented escalation process for the team to reach the most
superior members of the organisation as and when needed
• The senior risk owner, who is usually a board member, will require to be briefed and
ready to provide support and extra resources if necessary to help respond and recover
• It is advisable to give each of the team a laptop with remote access to the organisation
• It should have a full set of the incident response plan documentation and be suitably
encrypted to protect the contents

Need for Links to Corporate Incident
Management Systems
• Large organisations frequently have mature processes in place to help incident response
teams
• There is often a centralised function with the access to resources and expertise to assist
in dealing with the incident
• In a geographically distributed organisation, it may be that other offices will have plans
to send in specialist staff to assist in managing and recovering from an incident or to
offer cover for the affected location or to prepare and receive team relocated from
affected premises

Need for Links to Corporate Incident
Management Systems
(Continued)
• Even if an organisation does not belong to one of
these, it is worth approaching a large
organisation located closely
• It is worthwhile to know these people for
preparing an appropriate organisation, and it will
also be able to handle the incident – whatever it
may be

Processes for Involving Law Enforcement
• There is a time when it is essential to include law enforcement or other related
organisations in response to an incident
• In some countries, some incidents require compulsory reporting to law enforcement,
and it is essential to understand who they are in your local jurisdiction and which may
differ if there are offices in various countries
• If there is any probability of criminal activity or other deliberate action, the relevant
authorities should be informed
• The IRT and senior management must have a good knowledge of the legal requirements
for reporting some events and how to capture information to a standard that enables
forensic admissibility

Processes for Involving Law Enforcement
(Continued)
• It can be complicated and is another reason why prior planning and preparation is
necessary
• One single mistake in the method can render everything inadmissible in a court of law.
Expert advice and direction are highly suggested
• Another danger is that of tried extortion and blackmail where an attacker conducts
something such as DDoS or ransomware attack on an organisation
• In this case, the National Crime Agency (NCA) is the proper body to contact. The activity
of this sort, or malware found in government departments, should lead to a report being
passed to the NCSC

Protection of Personal Data and Restrictions
• Privacy laws are there to protect the individual’s rights. Information regarding people
such as customer or employee is retained and processed by most organisations
• Organisations should be aware of the lawful restrictions placed on them to protect that
information, and how it can be used and monitored
• Several countries have legislation to protect the person and control and restrict the
amount of information retained, and how to use and monitor it but the GDPR was
arguably the first comprehensive legislation which now impacts all the PII (Personally
Identifiable Information) about any citizen of the EU irrespective of where the
information is held

(Continued)
• The Act also ensures that information is only collected with the individual’s explicit
approval and that it is handled and processed in a secure way while placing controls to
transfer it to the countries out of EU, which have less-strict privacy controls
• Both electronic and paper-based records are also covered in it
• The following are the main points to remember while handling personal information is:
o To protect the personal data from accidental loss, corruption or destruction,
unlawful processing, and unauthorised disclosure, personal information must be
surrounded by robust assurance controls and working practices

(Continued)
o Implementation of processes must be done to
assure that the information enters correctly into
the computer systems and staff know that no
personal information should be exposed to any
third party without the suitable written authority
being in place
o Computer screens should not be left with
personal information being displayed or able to
be overlooked, and paper records must be kept
locked away

Employment Issues and Employee Rights
• Employees have specific rights while using the information systems of the enterprise,
such as the right to know what information is held regarding them by the enterprise and
the right to privacy, depending on the legal jurisdiction
• For instance, under the GDPR, a person can ask for a copy of the information held by any
organisation. This is called a Subject Access Request
• The Rights may extend to monitoring controls
• In the EU, employees have the right to know the monitoring’s scale and type, that the
enterprise is carrying out and why it is being done

Employment Issues and Employee Rights
(Continued)
• This information must be communicated to the employees
by the enterprise. This can be done easily by including a
statement about the monitoring extent in the information
assurance policies or employment contracts of the
enterprise
• Otherwise, it may be essential to gain for individuals’
consent to allow their information to be collected and
monitored
• An assessment of the monitoring strategy must be carried
out to show that the monitoring techniques being used are
justified, not excessive, and meet legal requirements

Common Concepts of Computer Misuse
• Many legislation that currently applies to the computer's misuse has not been written
particularly to address computer crime
• Fraud, deception, blackmail, theft and so on have existed always, but developments in
technology have allowed criminals now to exploit computing devices in their activities
• Likewise, privacy rights can be abused by electronic eavesdropping, cyberstalking or
hacking, instead of being actual physical presence Hence, current laws that predate
computers are frequently used to prosecute computer misuse
• Legislation has been produced to target crimes that are committed using computers
specifically

(Continued)
• Three new offences were introduced by the computer misuse Act 1990:
o the unauthorised modification of computer material;
o unauthorised access with the intent to commit or facilitate further offences; and
o unauthorised access to a computer
• The following are included in the misuse of computers:
o illegal access to computer systems (hacking);

(Continued)
o trafficking in passwords, digital signatures and
encryption keys;
o interference with information and systems;
o download of illegal material;
o computer-related fraud and forgery;
o illegal interception of information;
o commercial infringement of copyrights

(Continued)
• The term Computer fraud is used to describe stealing goods or money by using the
computer. This can be achieved by the various way, either by changing the existing
information on a computer or by entering inaccurate information
• Another way to carry it out is by creating or changing computer code. Misuse of
computers in this way is a significant problem, as organised criminals continuously find
new chances to utilise computers to commit crimes
• Business fraud, as this is frequently labelled is now one of the most general methods of
criminals for generating money from businesses

Requirements for Records Retention
• For legal or regulatory purposes, particular records or documents need to be kept by an
organisation for a period of time. These can involve financial reports and accounts,
company board minutes or technical specifications
• The period of time for which documents should be retained varies by the kind of the
document and the legislation of the country in which it is being utilised
• The records of multinational organisations may pass over to other countries within the
same enterprise
• Thus, the same data is then subject to diverse legislation requirements which might even
conflict with one other

Requirements for Records Retention
(Continued)
• Even though a minimum length of time is specified by most retention requirements for
keeping the data, certain legislation conversely states when a record should be
destroyed
• Either by an opposing party in a legal dispute or a government agency, an organisation
may be asked for producing these records Failure to comply with this can lead to the
closure of business or adverse publicity, a legal judgement against the organisation and
heavy fines

Intellectual Property Rights
• Enterprises and individuals invest a lot of money, time and effort in creating original
products, works, ideas and methodologies
• Intellectual property rights (IPR) is defined as legal rights which protect the creative
works, and most countries have legislation in order to protect such intellectual property
• Firstly, copyright law was designed to protect original artistic works such as pieces of
music, though it can also be used for documents, software programs, books, computer
games, video files, photographs or other types of work generated by a computer or
using a computer
• Copyright is automatically linked with the piece of work considered as original upon its
publication

Intellectual Property Rights
(Continued)
• Copyright provides the creator exclusive rights over certain facets of the work such as
issuing, copying, adapting, performing it
• Moreover, there are other pieces of legislation that aim to protect intellectual property,
and it is beneficial to have knowledge about some of them
• The Common Law of Breach of Confidence aims to protect secrets – commercial,
personal or governmental
• These can only be applied until the data are not in the public domain and covers
violations of confidence made among two or more parties

Contractual Safeguards, Common Security
Requirements in Outsourcing Contracts
• While developing contracts with third parties, it is essential to assure that controls are
put in place for protecting the information assets of the enterprise to an acceptable level
• In effect, it is essential to assure that a third party would take the same level of care in
defending the information of the organisation as the organisation would internally
• The types of safeguards needed will differ relying upon the kind of service being
provided and the sensitivity of the enterprise data
• Contract conditions should contain clauses to make sure that proper assurance controls
are in place

(Continued)
• Contract conditions should contain clauses to make sure that proper assurance controls
are in place
• Security conditions are usually managed via a security schedule in the contract. The type
of clauses required to give adequate protection might involve clauses to:
o Carry out daily assurance reviews and health checks
o Apply security patches on a timely manner
o Guard information against malicious code

(Continued)
o Give business continuity arrangements which meet the levels of agreed service
o Vet new staff to a suitable level
o Enforce discipline toward any security breaches
o Manage security incidents
• Several organisations use cloud computing services
• It is important that the organisation must understand the services that are being bought,
and contractually protects its information sufficiently

Collection of Admissible Evidence
• There are various processes and rules which are required
to be followed while gathering proof so that when utilised
in a court of law, it can meet specific criteria
• The proof may be excluded as being inadmissible if legal
guidelines are not followed. It can result in losing a court
case, embarrassment, adverse publicity and financial
penalties to the prosecuting party
• This commonly means being able to show that the proof
is authentic, has not been tampered with in any manner
and has been collected in an acceptable way that meets
legislative necessities, which involves being capable of
documenting and preserving the integrity and state of
items at the crime scene

(Continued)
• Several nations have created legal requirements, which specify how the proof should be
handled. Instances are the Evidence’s Federal Rules, the Civil Evidence Act and the Police
and Criminal Evidence Act
• Developing a procedure for gathering evidence and dealing with investigations will assist
in avoiding mistakes while working under pressure
• Only trained workers should acquire the securing of evidence. Organisations such as
banks can have an in–house facility to carry out investigations as they may require to
perform this daily

(Continued)
• The following are the principles while handling digital evidence:
o No action taken by the agents or the police should alter the data stored in a
computer or other media device, that may subsequently be dependent on in the
court
o In some exceptional conditions, when an individual finds it essential to access
original data held on a target computer, that individual must be able to do so and to
provide proof explaining the implications and the relevance of their actions
o An audit trail or some other record of all processes applied to the computer-based
evidence must be created and preserved. A third party which is independent should
be capable of examining those procedures and attain the same outcomes

Securing Digital Signatures
• Usually, a handwritten signature on an original document proves who signed it, and any
changes can be noticed. In the electronic world, the original is different from a copy, and
hence there is a possibility for fraud
• Digital signatures are referred to as an electronic signature that addresses this issue. It
electronically binds the sender of a message to the contents of the real message to
prove that it is true
• Also, it proves whom and when it was sent, that it has not been tampered with, that it
has been kept secret and that neither party can refuse its transmission
• Firms are increasingly utilising digital signatures to conduct their business, and
legislation has been evolved to facilitate and control their usage

Securing Digital Signatures
(Continued)
• Though what is acceptable differs across legal jurisdictions, so it’s significant that legal
advice is obtained prior to adopting the usage of digital signatures
• In the EU, the legal regulation Electronic Identification, Authentication and Trust Services
(eIDAS) came into force on 17 September 2014 and stated that the electronic signatures
would not deny legal impact just because they’re in electronic form
• If electronic signatures are backed by qualified certificates, then they will be treated as
handwritten signatures, which are given by a certification service provider and
generated by a secure signature creation device

Restrictions on Purchase, Use and Movement
of Cryptography Technology
• For protecting privacy, cryptography is a powerful tool that can be used by governments,
businesses, criminals and individuals for protecting confidential information
• Governments argue that it is in the national interest for them for controlling
cryptographic activity to protect the individual and prevent and tracking terrorist or
criminal activity
• As such, there are various controls in place over its use. From country to country,
cryptography legislation differs significantly

(Continued)
• In a few countries, the controls are quite harsh,
particularly where repressive political regimes
are in government
• It is essential that organisations which operate
internationally understand the restrictions of
local operating as penalties can be too harsh (i.e.
for treason) and in some statutes, the death
penalty should be included

(Continued)
• The following factors should be deemed:
o Restrictions on export and import of computer hardware and software to perform
cryptographic functions
o Restrictions on export and import of computer hardware and software that is
designed to have cryptographic functions added to it, restrictions on the usage of
encryption
o Discretionary or mandatory methods of access by the countries’ authorities to
information encrypted by computer hardware and software to give confidentiality

Module 7: Security Standards and
Procedures

National and International Standards
• In the area of information assurance, many
standards apply. These generally specify a set of
necessities for products, processes or procedures
and they are created by organisations known as
standards bodies
• They collaborate with industry specialists in many
areas, whether representing vendors and scientific
research agencies or government departments, to
present good practices which can be applied by
others
• The jurisdiction of a standards body may extend to a
particular industry sector, a specific country or
internationally

(Continued)
• The standards which will implement to an enterprise, it will differ depending on several
factors, that may contain the actual country in which the enterprise is based, whether it
works internationally, the industry division in which it operates, or perhaps engagement
in government contracts
• Most of the standards are produced by non-profit making organisations and are funded
by several parties which have a vested interest in their presence
• Generally, they do not regulate the adoption of their standards, although some do give
certification or accreditation to organisations for allowing them to demonstrate
compliance with the set standards

(Continued)
• ISO standards are produced collaboratively by
committees from more than 160 participating
countries
• Every standard is reviewed at least every five
years to assure that it remains current and those
that are no longer appropriate can be
withdrawn
• Editions of these standards are formally
published by the ISO and can be bought either
from ISO directly or through the agencies of
national standards like BSI

Certification of ISMS to Appropriate
Standards
• Achieving information assurance certification is a means of demonstrating that an
organisation that takes information assurance seriously, and right assurance controls and
processes have been implemented
• Certifications can apply to a particular set of processes or enterprise-wide within the
organisation
• Generally, certification includes the enterprise to go through an external audit by an
accredited third party

Certification of ISMS to Appropriate
Standards
(Continued)
• The ISO runs several certification schemes against its standards, including ISO/IEC 27001,
which allows an organisation to have management processes and information assurance
governance certified against ISO/IEC 27001
• To gain accreditation, the organisation’s ISMS (Information Security Management
Systems) has to undergo an external audit carried out by an accredited third-party
organisation
• The auditors use standard processes to examine the organisation’s ISMS (Information
Security Management Systems) policies, procedures and standards against the ISO/IEC
27001 requirement and then seek for evidence that they are being used within the
organisation

Product Certification to Recognised Standards
• Many products need certification and independent testing before they can be
introduced into the market to make sure that they conform to technical specifications,
safety requirements or other compliance regulations
• It is beneficial to have an independent third party to confirm that a new product does
meet expectations and that it can be trusted
• This mainly applies to security products, as it is not easy for the consumer to test the
product's security for themselves
• Certificates give customers the assurance that the security features provide the level of
protection that is claimed by the vendor

(Continued)
• It is beneficial to know that a standards-based approach has been used to do this
assessment, as this will assist in understanding as to how rigorous it has been
• Test results created in a standardised format will allow straightforward comparison with
other competing products
• Security testing, certification and evaluation have been carried out by either
organisations or government agencies serving the defence market
• Many countries have developed their own certification and evaluation systems using
several approaches and classification models

(Continued)
• It has often made life complicated while dealing
with other internationally recognised certification
schemes
• It means that products have to be recertified each
time for use in industry sectors, or distinct
countries which have an already costly and time-
consuming process

Awareness of the Production of Key Technical
Standards
• There are various technical standards applicable to information assurance management
• This section will examine some of the more well-known technical standard generating
bodies
• The Internet Engineering Task Force (ITEF) is a big, open international community which
develops and promotes standards to the internet
• Its governing body meets two or three times a year. Standards are produced by working
groups of interested parties, like network designers, vendors, operators, and
researchers, that each focus on a specific topic

Standards
(Continued)
• Federal Information Processing Standards Publications (FIPS PUBS) are standards and
guidelines developed and assigned by the NIST for federal government computer
systems in the USA
• Where possible, the US federal government uses current published industry standards,
but should none be suitable it will ask NIST to help develop them
• NIST cooperates with national and international standards committees like IETF and
other interested parties to produce FIPS PUBS

Standards
(Continued)
• Within Europe, the European Telecommunications Standards Institute (ETSI), based in
France, has official responsibility for standardisation of information and communications
technology (ICT)
• It is identified by the European Commission and the European Free Trade Association
(EFTA) secretariat
• Its primary purpose is to give technical specifications that may be used in European
directives and regulations or by manufacturers to show that their products are
compliant with these directives and regulations

Question 11
Qus 11: Which of the following activities should NOT be handled by the information
assurance function?
A. Monitoring the effectiveness of the enterprise’s assurance arrangements
B. Providing advice on information assurance
C. Effectively delivering a secure environment across the enterprise
D. Reporting on the effectiveness of the enterprise’s assurance arrangements to senior
management

Question 12
Qus 12: Where should the information assurance function be placed within the enterprise
so that it can facilitate full management co-ordination of assurance across the enterprise?
A. Within the compliance function
B. At board level
C. It will depend on the structure of the enterprise
D. Within the IT group

Question 13
Qus 13: What is the main role of the board director with responsibility for information
assurance?
A. To ensure that appropriate security controls are implemented across the enterprise
B. To have a detailed understanding of the threats facing the enterprise
C. To implement information assurance solutions across the enterprise
D. To provide day-to-day management of the information assurance function

Question 14
Qus 14: Clearly defined responsibilities for information assurance should include which of
the following?
A. Operating procedures and reporting requirements
B. The scope of the responsibilities and level of authority granted
C. Disciplinary procedure
D. None of these

Question 15
Qus 15: Which would be the best way to hear about and plan for any regulatory changes
to your industry that may affect information assurance?
A. Permanently employing consultants
B. Scanning bulletin boards and websites for snippets of information
C. Waiting until the changes were announced in the press
D. Maintaining a relationship with regulatory bodies for the industry

Question 16
Qus 16: Which of the following groups of people should have access to the high-level
security policy for the enterprise?
A. Senior management and all line management
B. All staff within the enterprise
C. Third parties that have access to the enterprise’s information systems
D. All of the above

Question 17
Qus 17: Which of these security documents is NOT mandatory?
A. A policy
B. A standard
C. A guideline
D. A procedure

Question 18
Qus 18: Which of the following statements best describes an information security
architecture?
A. A technical overview of assurance controls applied within an enterprise
B. A framework of assurance controls that can be applied across the enterprise to protect
its information assets
C. The physical security controls applied within security locations
D. A blueprint for future security controls

Question 19
Qus 19: Which of the following is the security standard that applies to the accreditation
of security controls within products?
A. ISO 27001
B. ISO 15408
C. ISO 9000
D. ISO 13335

Question 20
Qus 20: Privacy legislation is in place to protect the rights of?
A. Criminals
B. Companies
C. The individual
D. Data protection officers

Question 21
Qus 21: Which of the following is NOT a phase in incident management?
A. Assessment
B. Investigation
C. Reporting
D. Elimination

• Module 1: The Information Lifecycle
• Module 2: Identify the Stages of the Information Lifecycle
• Module 3: Concepts of Design Process Lifecycle Including Essential and
Non- Functional Requirements
• Module 4: Testing, Audit and Review
• Module 5: System Development and Support

Module 1: The Information Lifecycle

Importance and Relevance of the
Information Lifecycle
• Information Lifecycle Management is an approach for data and storage management
which identifies that the value of information varies over time and that it should be
handled accordingly
• Information Lifecycle Management tries to organise data according to its business value
and build policies to migrate and store data on the suitable storage tier
• More easily put, Information Lifecycle Management is a method for companies to
classify their content to assure that only the most appropriate data is being stored and
accessed

(Continued)
• A good Information Lifecycle Management system organises assets at a suitable level
and implements the corresponding standards of care at every stage of their life
The following are the benefits of Information Lifecycle:
1. Keep Track of Your Content
• Information Lifecycle Management assists you to hold the track of your content. It is no
secret that you are creating content in much better volume than you ever utilised to and
that your content is sticking around for a longer period. Information Lifecycle
Management is intended to perform as a working inventory of what content you have

2. Avoid Wasting Valuable Storage Space
• When you understand what content you have, you know what content is outdated, old,
or has outlasted its usefulness
• Therefore, information Lifecycle Management assists to recognise documents which
should not be taking up valuable storage space on your systems
• If you utilise Cloud storage, you spend per usage. Evading the use of storing needless
content assists you lessen costs

3. Help Meet Regulatory Compliance
Standards
• Most significant, the world is demanding
many regulations, particularly where privacy
is concerned
• While you utilise an Information Lifecycle
Management policy which is constructed
properly, it will recognise those documents or
assets which should be monitored for
regulatory compliance objectives

Module 2: Identify the Stages of the

• The life cycle of information needs to be managed in a way that helps the information’s
assurance or security in the life cycle
• The life cycle includes three main stages, beginning from the generation, creation or
acquisition of the information, through its ultimate disposal or archiving
• All must be deemed suitably, with the required controls and procedures put in place to
help the information’s confidentiality, integrity and availability
• The initial stage is how the information arrives in possession of a custodian. There are
several ways in which it can occur, though, primarily regardless of whether the
information has been made by someone else and sent to the custodian via email,
telephone, letter, data transfer or another method, or the custodian has generated it,
the information arrives into the company

(Continued)
• This should outcome in some classification’s
form which is being connected to that
information, by a creator, anyone acting in that
role. But it labels the information by significance
and value so that the suitable, cost-effective
security standards are put in place to look after
it
• Factors to consider at the point of the
acquisition involve the system’s planning for the
management of the information, unique
identification of data types, the source and
classification of an information

(Continued)
• The second stage is the one which will usually last the longest; the information will be
used in few ways, and this could be to teach the company or to be published for others
to know or learn from it
• The publication could be by paper format, as in a book, letter or another physical
document, or it could be published, as is more usual today, utilising electronic means to
the public by the internet or internally on an intranet
• This usage of the information will maybe occur only once or many times throughout its
life. The factors to think about throughout this stage will involve the secure storage, the
sharing and transmission, the processing, the integrity and the validity of the
information

(Continued)
• The third stage is to dispose of the information once it has served its beneficial and
intended purpose
• Disposal could refer to deletion, or it could mean archiving out of the usual daily
business so that it could be retrieved
• The factors to take into account throughout this stage involve validity dates, transfer
methods for disposal, disposal methods and auditing the process

Module 3: Concepts of Design Process
Lifecycle Including Essential and Non-
Functional Requirements

Use of Architecture Frameworks e.g. SABSA,
TOGAF
• Applying security architecture is usually a confusing process in enterprises. Traditionally,
security architecture includes some preventive, corrective and detective controls which
are applied to protect the firm infrastructure and applications Some of the enterprises
are doing a great job with security architecture by adding directive controls, consisting of
policies as well as procedures
• Multiple information security professionals with a traditional mind-set view security
architecture as nothing more than having security policies, monitoring, tools, and
controls

TOGAF
SABSA, COBIT and TOGAF and Their Relationships
• For enterprises, Sherwood Applied Business Security Architecture (SABSA) is a business-
driven security framework which is based on opportunities and risks associated with it
• SABSA doesn't give any particular control and depends on others, like the International
Organisation for Standardisation (ISO) or COBIT (Control Objectives for Information and
Related Technologies) processes. It is a methodology to ensure the business alignment
• The SABSA methodology has six layers. Every layer has a distinct view and purpose. The
contextual layer involves business needs and goals, and it is at the top

TOGAF
(Continued)
• The second layer is the conceptual layer, that is the architecture view:
Security
Service
Management
Architecture
Contextual Security Architecture
Conceptual Security Architecture
Logical Security Architecture
Physical Security Architecture
Component Security Architecture

TOGAF
(Continued)
• TOGAF is a framework and a collection of supporting tools in order to develop an
enterprise architecture
• The TOGAF architecture development cycle is excellent to utilise for any enterprise
which is starting to build an enterprise security architecture
• Similar to other frameworks, TOGAF begins with the business view and layer, which is
followed by technology and information

Agile Development i.e. DevOps,
DevSecOps and Potential Conflict
• In terms of the software development, Agile enhances the process of delivery;
encouraging changes in the practices as well as functions of the Development teams and
Business to produce better project or product visualised by a client or the end-user
DevOps
• The modern software development is based on DevOps practices, which integrate
software development with IT operations as a method of abbreviating development
cycles, increasing constant software delivery and assuring high software quality

(Continued)
• DevOps includes agile software engineering principles and involves constant integration
and testing activities as a means of allowing frequent delivery as well as integration
• Several research reports display that IT leaders integrate and delivery software more as
compared to average software organisations, that is why several proliferating enterprises
ride the wave of DevOps methodologies

(Continued)
• One of the DevOps processes’ flaws in practice is that sometimes security issues are
ignored
• In the past, it was normal practice for software development teams to deal with security
challenges at the development’s final stages
• However, this practice is completely mismatched with the DevOps paradigm where
development cycles are very usual, and the complete software products always need to
be accessible

DevSecOps
• DevSecOps is regarding integrating
security practices in the DevOps activities
• Its emphasis is on security as a shared
obligation among every DevOps
stakeholder, which includes teams
engaged in operations & development
and release engineers and security teams

(Continued)
• DevSecOps deals with the difficult goal of compromising among the speed of delivery
and code security, which are usually two conflicting targets
• As a DevSecOps’ parts, these two conflicting activities need to be balanced and
integrated in a common discipline of software development
• This balancing includes a paradigm shift in code security: Software security issues are
managed in a proactive way as an agile development’s part, instead of reactively
whenever an attack occurs or when a flaw is discovered

(Continued)
• An efficient DevOps process makes sure the robust, and iterative security cycles, without
any necessary slow down in constant integration and software delivery
• DevSecOps is a good way of confronting modern security challenges
• It allows developers, security engineers, deployers and releases engineers to cope with
the complication and scale of contemporary security attacks

Service Continuity and Availability
• Services continuity is defined as assuring the required IT technical and services can be
recovered in needed and agreed, business timescales
• The services continuity is required for:
Lower Insurance Premiums Regulatory Requirements
Business Relationship
Positive Marketing Of
Contingency Capabilities
Organisational Credibility Competitive Advantage

Service Continuity and Availability
(Continued)
• Availability management performs the following tasks:
o Optimise the availability to provide cost-effective improvement and perceptible
advantages
o To assure IT services are planned to deliver the business’s availability requirements
o Minimise the frequency and duration of incidents
o Reporting to assure reliability, availability and maintainability are measured and
observed
o Recognise shortfalls and progress corrective actions

Module 4: Testing, Audit and Review

Methods and Strategies for Security Testing
Systems
• Having built what is supposed to be a secure system which meets the requirements of
the business and there is always value in proving that the end outcome is secure
• It gives confidence to senior management in both the abilities and systems in the
company to design and implement them in a secure and effective way
• After completion, a single test is not enough; though, as business requirements and
threats are continually changing
• Reviews and tests must be repeated at periodic intervals to seek for all new issues of
technology, process or threat which should be addressed

Methods and Strategies for Security Testing
Systems
(Continued)
• Some of this needs expert testing with a professional penetration test team, and some
of it needs review through a security and business analysts’ combination
• From time to time, the advice of an independent external adviser who can assist in
recognising areas which may have been ignored or about which the internal team have
limited knowledge
• It should make part of the continuous risk management process, which exists to manage
each risk, involving these

Need for Correct Reporting of Testing and
Reviews
• The test and review process needs complete and correct reporting if it is to serve any
value. The report needs to be an exposed and honest ‘warts and all’ report, which
highlights any faults in the security architecture
• Any effort to downplay or hide the problems can lead to vulnerabilities being left in
place which can be successfully exploited
• As always, the report should include an executive summary and detailed technical
content for the people who do not have the knowledge or time to understand the
whole report
• This summary must include the essential conclusions and ‘take-away’ messages, with a
short explanation for further expenditure and action

Need for Correct Reporting of Testing and
Reviews
(Continued)
• Because it can include the details of vulnerabilities in the company, it can be required to
give this report some level of protective marking to stop unauthorised access
• Findings must be prioritised so that emphasis is provided to the most severe faults of the
system. These are categorised sometimes with a level of impact if exploited, for
example, high, medium, low, accompanied by a difficulty level (easy, medium, hard) to
exploit
• Therefore, to concentrate on the worst, the overall rating will combine these two scores,
and that is the high impact which is simple to exploit

Verifying Linkage Between Computer and
Clerical Processes
• In the best traditions of the Deming ‘Plan–Do–Check–Act’ cycle, this is where it is
essential to check that the task has been completed appropriately and that the base for
the original design has not changed since the last review
• This check will show if people are following the procedures and that those procedures
are right for the current situations
• Suppose it is found that the procedures are being side-stepped or disregarded broadly
• It is usually a good sign that the procedures, the design or both are wrong, and changes
must be considered

Deming
/Shewhart
Cycle
Note: ISMS = Information Security
Management System
Verifying Linkage Between Computer and
Clerical Processes
Continuous Improvement
(Favoured in standards such as ISO 27001)
• Plan: Establish ISMS (Identify an opportunity and plan
for change)
• Do: Implement and operate ISMS (Implement the
change on a small scale)
• Check: Monitor and Review ISMS (Determine whether it
made a difference)
• Act: Maintain and Improve ISMS (If successful,
implement it on a wider scale and continuously assess)

Principles of the Monitoring System and
Network Access or Usage
• There is a requirement to gather event log data
from a complete range of systems, devices and
appliances, and to monitor the traffic passing
over the network and any external data links, for
example, the internet
• There are commercial software applications and
devices which can be utilised to perform this
role, automatically processing anything up to
hundreds of thousands of events per hour and
taking data for further use later

(Continued)
• The data which has been gathered can be analysed to detect unusual patterns of
behaviour, signatures of known attacks and malware
• They can also be reviewed forensically to collect proof regarding wrongdoing and abuse,
which can be utilised in an internal disciplinary case or given to criminal justice
organisations as their enquiries’ part Skilled and well-trained persons should do the
analysis
• The training should not only be in the technical side of identifying the unusual activity,
but also in how to preserve and collect data in a way in which it is legally allowable in
court

(Continued)
• This type of work can be outsourced to expert third parties with smaller companies
without their own resources
• Usually, SOC (Security operations centres) give this function, and in their armoury, they
will use event management and security information tools to provide real-time analysis
of the gathered audit events
• These tools integrate detailed log management with a powerful analytics engine to allow
them to detect patterns of behaviour which couldn't be detected through single end-
user devices or boundary

Module 5: Systems Development and
Support

Security Requirement Specification
• The design of each application, network or system must meet the users’ operational
requirements and also be aligned with the organisation’s information security
architecture as a whole
• The security requirement must be the part of the overall statement of requirements
document from which the design is created
• It is most essential that the assurance needs are captured at the beginning of any project
to assure that they are efficient and that there is no adverse effect on the project or
product from trying to reverse-engineer the security requirements later on
• Adding them later will almost always add complication as well as cost to each project

(Continued)
• Another issue can be the efforts by the project
team to decrease the security needs to save time
and money on the project if there have been
slippage of timescales or cost overruns
• The security manager must be able to secure their
requirements but not be completely inflexible to
important operational requirements
• It is necessary to have the project and senior
management sign-off acceptance of the
maximised risk that results from any
modifications

(Continued)
• Security should not be considered as just protecting against inappropriate access and
misuse; it also refers to the following:
o Defensive coding to ensure that only the data which is valid and reliable is processed
by the system;
o Proper functional testing of the system to assure it acts as anticipated and inside the
design criteria
o Ways to backup and secure data against loss or damage
o Sufficient assurance of availability

(Continued)
o Compliance with any of the legal and
regulatory necessities
o Security of communications
o Efficient auditing of activity, for instance,
legal as well as regulatory reasons

Security Involvement in System and Product
Assessment
• Before being utilised in production, all new systems and products should have to go by
some kind of suitable acceptance testing
• It does not matter if they were purchased or developed; they should be evaluated for
acceptable and suitable security levels
• Each product should be deemed for its potential impacts on confidentiality, integrity and
availability, both directly and indirectly in combination with other assets, as a
component of the risk assessment process
• Several best practice companies manage a separate test environment which replicates
the live systems to enable assessments to be carried without risk of unfavourable result
• Another approach is to check the source code by eye or by automated tools, usage of a
malware scanner is always suggested for new code

Security Issues Associated With Commercial
off-the-shelf Systems
• The most apparent threat with the commercial off-the-shelf (COTS) products is of rogue
code concealed in an application which presents an activity against the best interests of
the company
• It could also be that there are bugs that, while not purposely malicious, found
vulnerabilities that could outcome in a severe adverse impact
• Mention has already been created a different test environment, and this is why it is
necessary – to assist in finding any such code by recognising its behaviour before it
affects production assets
• When a new product is installed, it is important to make sure that all security updates
have been applied to it

Security Issues Associated With Commercial
off-the-shelf Systems
(Continued)
• Sometimes dishonest individuals will advertise cheap copies of applications as they have
changed the code to involve malware
• The decreased price implies that it is more likely to be purchased and their malware
installed, and security issues do not just mean checking for rogue code
• It is also necessary to check that the product is a legal copy and not pirated
• Ensure that the supplier is reputable, not some dubious market website or stall selling
inexpensive copies

Importance of Links With the Whole Business
Process
• The development process is the other area that benefits from contact with all the
business functions which will be affected by the new deliverable
• Usually, it also occurs that end users are given what the designers believed they
required, however about which they had never worried to ask
• Consultation from day one has all kinds of advantages, and the end-users receive the
deliverable they require with a security form built-in that they can't only live with but
also view a good advantage from it being involved
• Project managers call this stakeholder commitment; it is a powerful tool that should be
utilised by everybody

Importance of Links With the Whole Business
Process
(Continued)
• A good security manager is in close contact, with all their fellow managers during the
organisation for assuring good feedback open communications
• It may be that the security team gets something new throughout the development
process. Keeping flow by new software tools and system technologies is as necessary for
security managers and architects as managing current knowledge of threats and
legislation
• Developing good relations across the business with key stakeholders and gaining their
trust will help the trust and credibility of the security manager

Separation of Development, Test and Support
From Operational Systems
• The primary purpose of having the live and development systems separate is to defend
the live data from any unintended actions that might compromise them
• Work to develop applications and new systems almost always include errors in design or
coding, and sometimes both, that is why acceptance and functionality testing is needed
• Any effort to run incomplete and unproven code against a live database could have a
significant influence on the capability of the company to function
• It is usually deemed as the best practice to have three separate systems – one each for
development, live and test

Separation of Development, Test and Support
From Operational Systems
(Continued)
• The last issue to deem is that the users may well require additional training before they
can utilise the new systems properly, and the development or test systems can be an
excellent place to enable them to make mistakes, aside from the live data
• Accidental mistakes introduced by users is a daily source of issues, and throughout
training, it can be a more common occurrence as they are less familiar with the system
• Training on the development system or test eliminates the concerns regarding mistakes
being introduced and enables trainees to make errors in a secure environment

Security of Acceptance Processes and
Authorisation for Use
• Once a deliverable, whether software, hardware or both, has completed development
and is ready for deployment, it should be tested to assure it does exactly what the
necessities define as documented in the functional test plan
• If the product is an update of an existing product, in that case, there must also be
regression testing to ensure no unanticipated modifications to current functionality have
occurred throughout the update process
• This involves testing the security facets of the product, and also it assuring that the
testing is conducted securely

(Continued)
• The deliverable must not only work however do so securely and not contain any
unintentional adverse influence on the other business areas or business processes
• A risk assessment should have been conducted as part of the development life cycle, and
design and the forecasts must be checked against actual testing results
• Security testing requires to consider:
o Protection against malware and code injection through interfaces
o Effectiveness of defensive coding

(Continued)
o Backup and recovery of data
o Auditing and behavioural analysis
o Communications security
o Access control
o Resilience

(Continued)
• The ultimate acceptance testing must be done by representatives from:
o End-users of the deliverable
o The project team
o Business management
o The assurance team
• The ultimate authorisation to go live must need sign-off from each of these
representatives before it can continue

Role of Accreditation of New or Modified
Systems as Meeting their Security Policy
• Some companies have an accreditor, or the equivalent, who is liable for assuring that any
additions or alterations
• To their information networks and systems are of a needed standard from a security
standpoint precisely, though from all other facets to some extent as well
• This individual has to approve the information security policy, architecture, and
procedures before the products can be deployed and utilised
• Usually, this process is carried by formal documentation to standards set in regulatory,
organisational, or legal documents

(Continued)
• Accreditation can implement specifically in the business world, particularly in aviation
and finance systems, where a regulatory body must accredit systems as being fit for
purpose before they can be utilised
• An alternative approach is where a new system requires to be able to accreditation to a
standard
• It may be that the organisation already has the accreditation, or is working towards it,
and wants to assure that the new system can meet the expected standards for
countermeasures and controls so that they will pass audit without corrective action

(Continued)
• The same principle implements to existing systems which are changed or renewed, and
when the system was new all modifications should go into the same review process to
assure that the standards are being managed in the latest work
• Several companies need periodic re-accreditation and review even if there doesn't seem
to have any difference
• Sometimes users will make modifications in working practices or design without the
environment changes or permission. The periodical review will assist in recognising
these, and formal processes can later be utilised to take corrective action

Change Control for Software Integrity
• Any modification to a software application, when created to improve its functionality,
can introduce unintended problems
• Each company must enforce and implement an efficient formal change control process
to manage the risks to their reputation and information assets
• The beginning of the process is the submission of an outline of the proposed changes to
a review board, which will evaluate the advantages against the work required to
complete the change and the risks
• One of the members of this change board must be a representative of the assurance
team, who will define the risks and any alterations to vulnerabilities and threats it can
bring about

Change Control for Software Integrity
(Continued)
• If the board approves the request, in this case, they can determine some approaches
and conditions to be utilised to manage the risks
• After the development work is finished, the latest version should experience
functionality testing and regression
• The process must implement not merely the hardware or software, though also to
update documentation which describes its use, design and function rather than using
only for the hardware or software
• A copy of the latest code and accompanying documentation should stay in a safe place
for business continuation purposes

Security Issues Relating to Outsourcing
Software Development
• The practise of outsourcing has become more popular, it frequently drives down costs;
however it can also present new risks to the process
• Some of these risks take security implications, such as the introduction of malicious
code, intentionally or accidentally into the deliverable or client systems throughout
installation
• There is also the risk that there will be loss of trade secrets or intellectual property with
the information which has to be provided to the third party, that may get its way into the
competitors' possession

(Continued)
• A similar risk implements to any data transferred to the
third party. The regulations and laws on the data
protection apply to anything sent to a third party as a
component of the development process
• A further concern is of a legal conflict developing
among a client and a supplier. This risk can be handled
by holding suitable terms and conditions in the
agreement, involving agreed terms for conflict
resolution, feasibly by mediation and knowledge of the
legal country or system in which conflicts will be solved

(Continued)
• Yet, the business must understand that they are expected to be the biggest losers if a
contractual conflict has to be sorted out by the courts, they may not have the system
they require to operate efficiently
• On the Capability Maturity Model (CMM) for managed organisational processes, it is
always advisable to maintain the risks by choosing a supplier that has reached level 5
• The introduction of the commercial present by the cloud has made significant
improvement in the number, a variety of issues for security to maintain

Capability Maturity Model Integration (CMMI)
• A process improvement approach providing the essential elements of effective processes
to continually improve their performance
• Useful for security initiatives
Level 1
Initial
Level 5
Optimising
Level 4
Managed
Level 3
Defined
Level 2
Repeatable
Chaotic/reactive
Uncontrolled
Unstable
Processes are
repeatable,
possibly with
consistent results,
including during
times of stress
Defined and
documented
standard
processes for the
entire organisation
with improvement
over time.
Plus Proactive
processes
Using process
metrics,
management
can effectively
control the
process
Process
Capability is
established
from this level
Focus is on
continually
improving
process
performance
through both
incremental and
innovative
technological
changes/
improvements

(Continued)
• It is necessary to assure that there is a clear perception of who owns the data on the
platform, what format they will be returned in if the contract is concluded, and that
there are sufficient controls to protect the confidentiality from another organisation
hosted on the corresponding platform
• Again, by any third-party development, it is good to have escrow protection to assure
access to the code if the organisation proceeds to bankrupt or experiences a severe
business disruption

Preventing Covert Channels, Trojans and
Rogue Code
• Mention has already been created of the risks of
undesired code ending up in a product which is being
updated or developed
• Any methodology must be utilised to examine the code
to recognise such malware Also, code should be
developed to an explicitly specified set of standards
• For short sections of code, the code walk-through
process is an easy yet efficient form of checking for
some external lines of software, though for several
modern products which are extremely larger, this is not
practical

Rogue Code
(Continued)
• The process of testing will need the use of a system which is separated from the live
replicates and network it as far as is feasible
• Certain kind of automated testing tool which could be utilised, in combination with the
examination of the audit logs, resulting data, and outputs of network analysers, to view
for abnormal and unexpected behaviour as part of the acceptance and testing stage of
the development life cycle
• If the application is large, this work can be lengthy and complicated

Rogue Code
(Continued)
• It must be noted that this is the most challenging and complicated task to perform
entirely and soon includes too complicated mathematics if taken to its whole extent
• Some specialists who know the process, the several tools and their outputs and it can be
advisable to include one of these in this process if the malware risk and its possible
affect is considered adequately high

Handling of Security Patches and Non-
Security Patches
• It is a fact of life that all operating systems and software application includes bugs
• The length and complexity of the code makes it difficult to test each single execution
path through it
• These bugs can have diverse influences ranging from inaccurate values being saved in a
database for enabling unauthorised access to the network or system
• One way or the other, they will have some kind of unfavourable influence on
confidentiality, availability or integrity of the information assets of a company
• The supplier will usually issue a patch which can be installed to eliminate a vulnerability
when bugs are found

Security Patches
(Continued)
• These patches should be tested and installed at the earliest chance. Hackers will also
download the patches and try to reverse-engineer them to exploit a vulnerability if they
can
• The elapsed time from the release of a patch to release a useful exploit is now usually
estimated in days
• Some individuals argue that patches shouldn't be installed on certified products as this
alters the code away from the evaluated target

Security Patches
(Continued)
• The official recommendation is that installing a patch to fix a known vulnerability is a
much lower risk than that of accidentally introducing the other vulnerability at the
corresponding time
• Patches should always be implemented, and they should generally be tested, before they
are turned out, in an environment which isn't related to the live system to assure that
they do not have an adverse effect on business functionality
• Some platforms are simpler to patch than others; older legacy systems may struggle by
patching and become unsteady

Use of Certified Products and Systems
• There are some industry situations and sectors under which the use of software
products, hardware devices and operating systems is advisable or even necessary and
have been officially accredited to provide a minimum level of security, safety, reliability
or a combination of these
• Instances of this may contain the nuclear industry, air-traffic control systems, banking,
government and defence agencies
• There may be industry or government needs for the use of this type of software, or it
may only be a necessity which is defined by the management of the company
• Probably the Common Criteria (CC) assessment scheme is the best-known system which
is in use today and is recognised internationally

Use of Certified Products and Systems
(Continued)
• It offers a product assurance scale ranging from
Evaluation Assurance Level (EAL) 1 to 7; the greater the
number, the higher the level of assurance
• The idea is that while designing security architectures,
an assured product can assist in minimising risk in a
quantifiable way The vital issue to note is that every
product will have a ‘target of evaluation’ or ‘security
target’ or assessed features and functions
• It is essential to assure that the features you plan to
utilise are involved in that target; otherwise, the
certification is of no value

Use of Escrow to Reduce Risks of Loss of
Source Code
• If a third-party organisation has written or given the source code, the client is dependent
on that supplier for assistance, updates and changes to their software
• In the past, there have been cases where a supplier has been sold to a competitor or
gone out of business, and the end-user has been forced to invest large amounts of
money in solving the subsequent problems which pose a threat to their company,
particularly in receiving support if anything goes wrong
• Escrow is one solution for this. The supplier and client agree on a impartial third party
(often a lawyers' firm or a bank) who will keep a copy of the development materials and
source code

Use of Escrow to Reduce Risks of Loss of
Source Code
(Continued)
• There is a lawfully binding agreement which
defines the situations under which the material
is released to the client by the third party and
ownership passes to them with all the
appropriate rights to utilise and further develop
the application as needed

Question 22
Qus 22: In the life cycle of information, which of the following is NOT one of the main
stages?
A. Disposal
B. Creation
C. Acquisition
D. Utilisation

Question 23
Qus 23: What technique should be used on a newly developed system just prior to its
release into a live environment?
A. Penetration testing
B. Multi-factor authentication
C. Protective monitoring
D. PCI DSS

Question 24
Qus 24: What is a COTS product?
A. Commercially operated temporary storage
B. Confidential organisational tested software
C. Certified off-the-shelf
D. Commercial off-the-shelf

Question 25
Qus 25: The management of all alterations to an information system is best achieved by
what service management process?
A. Configuration management
B. Requests for change
C. Change control board
D. All of the options above

My_notes_part1.pdf

More Related Content

Similar to My_notes_part1.pdf (20)

Recently uploaded (20)

My_notes_part1.pdf