Podcast
Questions and Answers
APPSEC/ETH group GRC & CISO group DPI Cloud sec & compliance Operational ______.
APPSEC/ETH group GRC & CISO group DPI Cloud sec & compliance Operational ______.
Technology
Living-off-the-land attacks use trusted system tools to conduct attacks, making them harder to ______
Living-off-the-land attacks use trusted system tools to conduct attacks, making them harder to ______
detect
Mobile and IoT devices are increasingly targeted, with malvertising and malware posing ______
Mobile and IoT devices are increasingly targeted, with malvertising and malware posing ______
threats
A zero-day vulnerability is a software weakness unknown to those who should mitigate it, allowing hackers to exploit it before a fix is ______
A zero-day vulnerability is a software weakness unknown to those who should mitigate it, allowing hackers to exploit it before a fix is ______
Signup and view all the answers
The economics of cybercrime is a significant issue, with estimated costs reaching $6 trillion in ______
The economics of cybercrime is a significant issue, with estimated costs reaching $6 trillion in ______
Signup and view all the answers
CISOs/Security Officers act as strategic and tactical leaders in ______
CISOs/Security Officers act as strategic and tactical leaders in ______
Signup and view all the answers
Spear phishing is a targeted form of email ______
Spear phishing is a targeted form of email ______
Signup and view all the answers
Ransomware attacks involve mass infection of systems and demand payment in exchange for restoring access to ______
Ransomware attacks involve mass infection of systems and demand payment in exchange for restoring access to ______
Signup and view all the answers
The cybersecurity landscape is subject to an ever-growing number of laws, regulations, and standards, such as ISO27k, NIST, CIS, GDPR, NIS, and FDA ______
The cybersecurity landscape is subject to an ever-growing number of laws, regulations, and standards, such as ISO27k, NIST, CIS, GDPR, NIS, and FDA ______
Signup and view all the answers
Technology layer includes implementation, automation, and ______
Technology layer includes implementation, automation, and ______
Signup and view all the answers
Employee awareness forms the hygiene layer of ______
Employee awareness forms the hygiene layer of ______
Signup and view all the answers
Hackers' return on investment (ROI) influences their target selection, with an average return per attack being less than $4,500
Hackers' return on investment (ROI) influences their target selection, with an average return per attack being less than $4,500
Signup and view all the answers
Cybercrime operates like a business, with a supply chain, middlemen, and distribution ______
Cybercrime operates like a business, with a supply chain, middlemen, and distribution ______
Signup and view all the answers
An ISMS (Information Security Management System) is a ______ approach for managing an organization's information security, based on risk assessment and the organization's risk acceptance levels.
An ISMS (Information Security Management System) is a ______ approach for managing an organization's information security, based on risk assessment and the organization's risk acceptance levels.
Signup and view all the answers
ISO27k is a family of standards with two main standards: ______ focuses on security controls and risk assessments, while ISO27002 provides guidelines for implementing security controls.
ISO27k is a family of standards with two main standards: ______ focuses on security controls and risk assessments, while ISO27002 provides guidelines for implementing security controls.
Signup and view all the answers
To define a ______ security strategy and roadmap, consider business objectives, security trends, and maturity levels.
To define a ______ security strategy and roadmap, consider business objectives, security trends, and maturity levels.
Signup and view all the answers
Cyber ______ is an essential barrier for trade in the context of security trends and security management.
Cyber ______ is an essential barrier for trade in the context of security trends and security management.
Signup and view all the answers
Cybersecurity industry faces a significant lack of ______, with 1205 vacancies in Belgium and a 16% vacancy rate.
Cybersecurity industry faces a significant lack of ______, with 1205 vacancies in Belgium and a 16% vacancy rate.
Signup and view all the answers
Risk management is a crucial aspect of ISO27001:2017, and risks must be ______ at different levels and occasions.
Risk management is a crucial aspect of ISO27001:2017, and risks must be ______ at different levels and occasions.
Signup and view all the answers
Developing a ______ strategy involves selecting a standard/framework, increasing technical security countermeasures, and prioritizing based on current maturity levels and budget constraints.
Developing a ______ strategy involves selecting a standard/framework, increasing technical security countermeasures, and prioritizing based on current maturity levels and budget constraints.
Signup and view all the answers
Challenges in cybersecurity include the '______ of More' and the need for a business-driven, optimized ROSI (Return on Security Investment).
Challenges in cybersecurity include the '______ of More' and the need for a business-driven, optimized ROSI (Return on Security Investment).
Signup and view all the answers
Cybersecurity presents ______, such as avoidance of direct damage, customer and investor confidence, and product differentiation.
Cybersecurity presents ______, such as avoidance of direct damage, customer and investor confidence, and product differentiation.
Signup and view all the answers
______ of a security strategy include governance, organizational risks, technical maturity, and security requirements.
______ of a security strategy include governance, organizational risks, technical maturity, and security requirements.
Signup and view all the answers
______ includes context, leadership, planning, support, operation, performance evaluation, and improvement.
______ includes context, leadership, planning, support, operation, performance evaluation, and improvement.
Signup and view all the answers
A threat is a potential cause of an unwanted incident, and risk management involves comprehensive risk assessments, ______, and assessments during significant changes.
A threat is a potential cause of an unwanted incident, and risk management involves comprehensive risk assessments, ______, and assessments during significant changes.
Signup and view all the answers
ISO31000, ISO27001:2017 defines ______ as the potential harm or threat to an organization, determined by the impact and probability
ISO31000, ISO27001:2017 defines ______ as the potential harm or threat to an organization, determined by the impact and probability
Signup and view all the answers
Risk management for ______ servers, such as JIRA and Confluence, involves assessing and protecting critical information assets
Risk management for ______ servers, such as JIRA and Confluence, involves assessing and protecting critical information assets
Signup and view all the answers
Example assets include ______ Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives)
Example assets include ______ Directory Servers, with different risk profiles, RTOs (Recovery Time Objectives), and RPOs (Recovery Point Objectives)
Signup and view all the answers
ISO27001:2017 outlines 114 ______ in 14 clauses and 35 control categories for effective risk management, including ______ for information security policies, human resource security, and access control
ISO27001:2017 outlines 114 ______ in 14 clauses and 35 control categories for effective risk management, including ______ for information security policies, human resource security, and access control
Signup and view all the answers
The ______ Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management
The ______ Cyber Security Framework (CSF) provides guidelines for developing a cyber security strategy, with easy-to-understand categories and maturity levels for risk management
Signup and view all the answers
The NIST CSF focuses on ______ for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems
The NIST CSF focuses on ______ for both the Governance and Technical tracks, including the use of community support networks and prioritized controls for effective cyber defense systems
Signup and view all the answers
______ diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF
______ diagnostics and mitigation, automation, and measurements and metrics are essential components of an effective cyber security strategy, according to the NIST CSF
Signup and view all the answers
ISO27002:2017 and other ______ provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls
ISO27002:2017 and other ______ provide additional controls and guidelines for operational security governance, procedural guidelines, and technical controls
Signup and view all the answers
NIST validates cyber security programs and offers ______ for individuals as NIST CSF Practitioners
NIST validates cyber security programs and offers ______ for individuals as NIST CSF Practitioners
Signup and view all the answers
The ______ Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements
The ______ Controls (V7.1) are recommended for the Technical Track, offering a prioritized set of actions that are community-supported, implementable, scalable, and compliant with industry and government security requirements
Signup and view all the answers
The ______ critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation
The ______ critical tenets of an effective cyber defense system, according to the NIST CSF, include offense informs defense, prioritization, measurements and metrics, and continuous diagnostics and mitigation
Signup and view all the answers
IG1 organizations are small to medium-sized with limited IT and cybersecurity expertise. The principal concern is keeping business operational and protecting ______ and financial information.
IG1 organizations are small to medium-sized with limited IT and cybersecurity expertise. The principal concern is keeping business operational and protecting ______ and financial information.
Signup and view all the answers
IG2 organizations employ individuals responsible for managing and protecting IT infrastructure. They support multiple departments with varying risk profiles and may have regulatory compliance burdens. They store and process sensitive client or company information and can withstand short interruptions of service. Loss of public confidence is a major ______.
IG2 organizations employ individuals responsible for managing and protecting IT infrastructure. They support multiple departments with varying risk profiles and may have regulatory compliance burdens. They store and process sensitive client or company information and can withstand short interruptions of service. Loss of public confidence is a major ______.
Signup and view all the answers
IG3 organizations employ security experts specializing in different cybersecurity facets. Systems and data contain sensitive information or functions subject to regulatory and compliance oversight. They address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the ______.
IG3 organizations employ security experts specializing in different cybersecurity facets. Systems and data contain sensitive information or functions subject to regulatory and compliance oversight. They address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the ______.
Signup and view all the answers
After a maturity assessment using the chosen governance standard (NIST CSF/ ISO27K for governance and CIS Controls for technical), organizations should summarize findings and risks. Define high-level risk mitigation actions and set maturity targets for the next 3 years based on ______ benchmarks.
After a maturity assessment using the chosen governance standard (NIST CSF/ ISO27K for governance and CIS Controls for technical), organizations should summarize findings and risks. Define high-level risk mitigation actions and set maturity targets for the next 3 years based on ______ benchmarks.
Signup and view all the answers
Prioritize and detail the risk mitigation actions. Consolidate findings, risks, and mitigation actions to create a cybersecurity ______.
Prioritize and detail the risk mitigation actions. Consolidate findings, risks, and mitigation actions to create a cybersecurity ______.
Signup and view all the answers
Findings include potential risks and should be summarized with context and insight to understand what is ______.
Findings include potential risks and should be summarized with context and insight to understand what is ______.
Signup and view all the answers
Describe the risks associated with each finding, but remember that these are not the equivalent of detailed ______ assessments.
Describe the risks associated with each finding, but remember that these are not the equivalent of detailed ______ assessments.
Signup and view all the answers
The CIS Center for Internet Security provides free cybersecurity strategies and tools, including the CIS Controls (V7.1), which map to both ISO27002 and NIST CSF ______.
The CIS Center for Internet Security provides free cybersecurity strategies and tools, including the CIS Controls (V7.1), which map to both ISO27002 and NIST CSF ______.
Signup and view all the answers
The CIS Controls prioritize the implementation of cybersecurity measures into three Implementation Groups (IGs): IG1, IG2, and IG3, based on the size and expertise of the ______.
The CIS Controls prioritize the implementation of cybersecurity measures into three Implementation Groups (IGs): IG1, IG2, and IG3, based on the size and expertise of the ______.
Signup and view all the answers
Sub-Controls should be implementable with limited expertise, aimed to thwart general attacks and work with small or home office COTS hardware and ______.
Sub-Controls should be implementable with limited expertise, aimed to thwart general attacks and work with small or home office COTS hardware and ______.
Signup and view all the answers
Sub-Controls help security teams cope with increased operational complexity and depend on ______-grade technology and specialized expertise.
Sub-Controls help security teams cope with increased operational complexity and depend on ______-grade technology and specialized expertise.
Signup and view all the answers
Sub-Controls must abate targeted attacks and reduce the impact of ______ attacks.
Sub-Controls must abate targeted attacks and reduce the impact of ______ attacks.
Signup and view all the answers
High-level description of the actions to take to mitigate the risk associated with finding A. These high-level actions will be further detailed later on.
High-level description of the actions to take to mitigate the risk associated with finding A. These high-level actions will be further detailed later on.
Signup and view all the answers
High-level description of the actions to take to mitigate the risk associated with finding B. These high-level actions will be further detailed later on.
High-level description of the actions to take to mitigate the risk associated with finding B. These high-level actions will be further detailed later on.
Signup and view all the answers
High-level description of the actions to take to mitigate the risk associated with finding C. These high-level actions will be further detailed later on.
High-level description of the actions to take to mitigate the risk associated with finding C. These high-level actions will be further detailed later on.
Signup and view all the answers
One can choose to set a target maturity over 3 years Governance 2,40 2,11 2,11 2,25 2,40 Technical 2,10 1,50 1,75 1,95 2,20 Reference Now 2021 2022 2023 Based on benchmark figures within the same sector 80 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Prioritize and detail For each high-level, risk mitigating action, you can now specify the more detailed actions to take, and to prioritize these actions over the coming (3) years. Per action, think about documenting: Part of the governance or technical track The detailed action Stakeholders Budget estimate Timing Must-do / Roadmap candidate Consider putting the high-level actions on a timeline 81 Cybersecurity – how to define a cyber strategy 82 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 2 83 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 3 84 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 4 85 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 1 86 Questions. 87 Security Operating Model GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Cybersecurity is too big a task to be handled by one person. Divide and conquer. 89 90 Managed Security Office Framework Client Security Office Security Office Essential Security & Compliance Projects Ecosystem of partners Expert Services Security Office – Typical persons involved Client X Security Office Account manager Cloud security expert (if applicable) Application security expert (if applicable) CISO / SPOC (required) Security Architect (if applicable) Sidekick (preferred) … (what’s applicable) 92 Foundation Strong foundation principle for SOaaS Pentest CIS assessment In Ga telli th gen er in ce g Foundation Business Threat Model s ou n u in o nt icati o C rif Ve Security Office Portal Continuous Vulnerability Scanning e nc a rn ve ol o G n tr Co Incident Response Brainframe 93 Foundation Security Office Portal Compliance standards Custom compliance CIS Project Management M365 CIS Azure CIS Zero Trust GDPR NIST ISO 27001 MITRE ATT&CK Data sources in-depth recommendations M365 & AAD Azure Conditional Access OnPremises AWS Google Cloud 450+ customizable rules 94 Cyber Security & Start & ScaleUps GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Tech Scale-Up Phases Conserve cash Invest Aggressively Search for product/Market Fit Search for Repeatable, Scalable, & Profitable Growth Model Scaling the Business 96 Phase 1: Product/Market Fit Search for product/Market Fit Business Objectives: Define MVP Find Beachhead Market for MVP Security Objectives: Define Minimal Viable Product Security Bootstrap Security 97 Phase 1: Product/Market Fit Search for product/Market Fit Business Objectives: Define MVP Find Beachhead Market for MVP Security Objectives: Define Minimal Viable Product Security Bootstrap Security How to Implement Security Objectives: Focus on Product Security Only Define Basic Non-Functional Requirements Manually Threat Modeling Validate Security of MVP Penetration Testing Use Subsidized Security Services to minimize costs. 98 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model Business Objectives: Exponential growth and market development. Gaining trust of corporate and enterprise customers. Security Objectives: Gain overall security maturity and make it demonstrable towards interested stakeholders. 99 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model Business Objectives: Exponential growth and market development. Gaining trust of corporate and enterprise customers. Security Objectives: Gain overall security maturity and make it demonstrable towards interested stakeholders. How to Implement Security Objectives: Adopt Security Standards (ISO27k, NIST, …) Appoint Security Resources (CISO, Security Officer, DPO) Can still be parttime Retain focus on Product Security Agile Pentesting Agile Threat Modeling Optimize important processes by adopting (basic) security technology. E.g. Buy Cloud Licenses that include security functionalities (E5, …) SAST/DAST tooling to improve code quality … 100 Phase 3: Aggressive Scaling Scaling the Business Business Objectives: Sustain market leadership & growth Security Objectives: Continue to.
One can choose to set a target maturity over 3 years Governance 2,40 2,11 2,11 2,25 2,40 Technical 2,10 1,50 1,75 1,95 2,20 Reference Now 2021 2022 2023 Based on benchmark figures within the same sector 80 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Prioritize and detail For each high-level, risk mitigating action, you can now specify the more detailed actions to take, and to prioritize these actions over the coming (3) years. Per action, think about documenting: Part of the governance or technical track The detailed action Stakeholders Budget estimate Timing Must-do / Roadmap candidate Consider putting the high-level actions on a timeline 81 Cybersecurity – how to define a cyber strategy 82 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 2 83 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 3 84 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 4 85 w HOW TO DEVELOP A PROPER CYBER SECURITY STRATEGY w Example Deliverable - 1 86 Questions. 87 Security Operating Model GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Cybersecurity is too big a task to be handled by one person. Divide and conquer. 89 90 Managed Security Office Framework Client Security Office Security Office Essential Security & Compliance Projects Ecosystem of partners Expert Services Security Office – Typical persons involved Client X Security Office Account manager Cloud security expert (if applicable) Application security expert (if applicable) CISO / SPOC (required) Security Architect (if applicable) Sidekick (preferred) … (what’s applicable) 92 Foundation Strong foundation principle for SOaaS Pentest CIS assessment In Ga telli th gen er in ce g Foundation Business Threat Model s ou n u in o nt icati o C rif Ve Security Office Portal Continuous Vulnerability Scanning e nc a rn ve ol o G n tr Co Incident Response Brainframe 93 Foundation Security Office Portal Compliance standards Custom compliance CIS Project Management M365 CIS Azure CIS Zero Trust GDPR NIST ISO 27001 MITRE ATT&CK Data sources in-depth recommendations M365 & AAD Azure Conditional Access OnPremises AWS Google Cloud 450+ customizable rules 94 Cyber Security & Start & ScaleUps GUEST CLASS – SECURITY TRENDS & SECURITY MANAGEMENT Tech Scale-Up Phases Conserve cash Invest Aggressively Search for product/Market Fit Search for Repeatable, Scalable, & Profitable Growth Model Scaling the Business 96 Phase 1: Product/Market Fit Search for product/Market Fit Business Objectives: Define MVP Find Beachhead Market for MVP Security Objectives: Define Minimal Viable Product Security Bootstrap Security 97 Phase 1: Product/Market Fit Search for product/Market Fit Business Objectives: Define MVP Find Beachhead Market for MVP Security Objectives: Define Minimal Viable Product Security Bootstrap Security How to Implement Security Objectives: Focus on Product Security Only Define Basic Non-Functional Requirements Manually Threat Modeling Validate Security of MVP Penetration Testing Use Subsidized Security Services to minimize costs. 98 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model Business Objectives: Exponential growth and market development. Gaining trust of corporate and enterprise customers. Security Objectives: Gain overall security maturity and make it demonstrable towards interested stakeholders. 99 Phase 2: Repeatable, Scalable & Profitable Growth Search for Repeatable, Scalable, & Profitable Growth Model Business Objectives: Exponential growth and market development. Gaining trust of corporate and enterprise customers. Security Objectives: Gain overall security maturity and make it demonstrable towards interested stakeholders. How to Implement Security Objectives: Adopt Security Standards (ISO27k, NIST, …) Appoint Security Resources (CISO, Security Officer, DPO) Can still be parttime Retain focus on Product Security Agile Pentesting Agile Threat Modeling Optimize important processes by adopting (basic) security technology. E.g. Buy Cloud Licenses that include security functionalities (E5, …) SAST/DAST tooling to improve code quality … 100 Phase 3: Aggressive Scaling Scaling the Business Business Objectives: Sustain market leadership & growth Security Objectives: Continue to.
Signup and view all the answers
Study Notes
- The CIS Center for Internet Security provides free cybersecurity strategies and tools, including the CIS Controls (V7.1), which map to both ISO27002 and NIST CSF standards.
- The CIS Controls prioritize the implementation of cybersecurity measures into three Implementation Groups (IGs): IG1, IG2, and IG3, based on the size and expertise of the organization.
IG1:
- IG1 organizations are small to medium-sized with limited IT and cybersecurity expertise.
- Principal concern is keeping business operational and protecting employee and financial information.
- Sub-Controls should be implementable with limited expertise, aimed to thwart general attacks and work with small or home office COTS hardware and software.
IG2:
- IG2 organizations employ individuals responsible for managing and protecting IT infrastructure.
- Support multiple departments with varying risk profiles and may have regulatory compliance burdens.
- Store and process sensitive client or company information and can withstand short interruptions of service.
- Loss of public confidence is a major concern.
- Sub-Controls help security teams cope with increased operational complexity and depend on enterprise-grade technology and specialized expertise.
IG3:
- IG3 organizations employ security experts specializing in different cybersecurity facets.
- Systems and data contain sensitive information or functions subject to regulatory and compliance oversight.
- Address availability of services and the confidentiality and integrity of sensitive data.
- Successful attacks can cause significant harm to the public.
- Sub-Controls must abate targeted attacks and reduce the impact of zero-day attacks.
- After a maturity assessment using the chosen governance standard (NIST CSF/ ISO27K for governance and CIS Controls for technical), organizations should summarize findings and risks.
- Define high-level risk mitigation actions and set maturity targets for the next 3 years based on industry benchmarks.
- Prioritize and detail the risk mitigation actions.
- Consolidate findings, risks, and mitigation actions to create a cybersecurity strategy.
- Findings include potential risks and should be summarized with context and insight to understand what is important.
- Describe the risks associated with each finding, but remember that these are not the equivalent of detailed risk assessments.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Test your knowledge of risk management and assessment in ISO standards with this quiz. Explore topics such as risk calculation, impact probability, ISO27001:2017, CI/CD servers, JIRA/Confluence, and recovery objectives.