IAS 102 Security & Risk Management PDF
Document Details
Uploaded by ConsistentLightYear
Pampanga State Agricultural University
Tags
Summary
This document provides an overview of security and risk management, including topics like cyberattacks, control frameworks, and security governance principles. It also discusses the importance of maintaining an organization's cybersecurity posture, as well as the various types of cyberattacks.
Full Transcript
IAS 102 UNIT 1 SECURITY & RISK MANAGEMENT Objectives After the discussion the students will able to: Identify the elements of CIA Understand the Security Governance Principles Distinguish the Control Frameworks Analyze C...
IAS 102 UNIT 1 SECURITY & RISK MANAGEMENT Objectives After the discussion the students will able to: Identify the elements of CIA Understand the Security Governance Principles Distinguish the Control Frameworks Analyze Control Frameworks Determine the due care vs due diligence Know the CISSP for legal & investigation Regulatory Compliance Aware about Information Security Legal Issues and security policies, standards, procedures & Guidelines Determine the security personnel, vendor, consultant and contractor security. Understand the Risk Management Concepts WHAT IS SECURITY AND RISK MANAGEMENT? Security and risk management involve identifying, assessing, and controlling risks to an organization’s capital, earnings, and critical assets. These risks can arise from various sources, including financial uncertainty, legal liabilities, strategic management errors, accidents, and natural disasters. Specifically, cyber risk management focuses on information systems, aiming to reduce the impact and likelihood of threats such as cyberattacks, employee mistakes, and natural disasters. It’s an essential part of broader enterprise risk management efforts, allowing companies to safeguard their profits, data, and reputation WHAT IS CIA TRIAD? The CIA Triad or Confidentiality, Integrity, and Availability is a guiding model in information security. A comprehensive information security strategy includes policies and security controls that minimize threats to these three crucial components. WHAT IS CIA TRIAD? Confidentiality refers to protecting information from unauthorized access. Integrity means data are trustworthy, complete, and have not been accidentally altered or modified by an unauthorized user. Availability means data are accessible when you need them. SECURITY GOVERNANCE PRINCIPLES Security governance principles play a crucial role in maintaining an organization’s cybersecurity posture. There are six key principles: Responsibility Strategy Acquisition Performance Conformance Human Behavior SECURITY GOVERNANCE PRINCIPLES Responsibility- Clearly define roles and responsibilities for security across the organization. Strategy- Align security efforts with the overall business strategy Acquisition- When acquiring new technologies or services, evaluate their security implications. Performance- Continuously monitor and assess security performance. Conformance- Ensure compliance with relevant regulations, standards, and policies. Human Behavior- Promote secure behaviors among employees. CYBERATTACK- Is an attempt by cybercriminals, hackers or other digital adversaries to access a computer network or system, usually for the purpose of altering, stealing, destroying or exposing information. Common types cyberattacks Malware- or malicious software — is any program or code that is created with the intent to do harm to a computer, network or server. Ransomware- an adversary encrypts a victim’s data and offers to provide a decryption key in exchange for a payment. Fileless Malware- Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Spyware- type of unwanted, malicious software that infects a computer or other device and collects information about a user’s web activity without their knowledge or consent. Adware- type of spyware that watches a user’s online activity in order to determine which ads to show them. While adware is not inherently malicious, it has an impact on the performance of a user’s device and degrades the user experience. Common types cyberattacks Trojan- malware that appears to be legitimate software disguised as native operating system programs or harmless files like free downloads. Trojans are installed through social engineering techniques such as phishing or bait websites. Worm- a self-contained program that replicates itself and spreads its copies to other computers. Rootkits- a collection of software designed to give malicious actors control of a computer network or application. Once activated, the malicious program sets up a backdoor exploit and may deliver additional malware. Keylogger- are tools that record what a person types on a device. Common types cyberattacks Denial -of-Service (DoS) attacks- is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations. Phishing- type of cyberattack that uses email, SMS, phone, social media, and social engineering techniques to entice a victim to share sensitive information — such as passwords or account numbers. Spear Phishing- type of phishing attack that targets specific individuals or organizations typically through malicious emails. Whaling- is a type of social engineering attack specifically targeting senior or C-level executive employees with the purpose of stealing money or information, or gaining access to the person’s computer in order to execute further cyberattacks. Common types cyberattacks Denial -of-Service (DoS) attacks- is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations. Phishing- type of cyberattack that uses email, SMS, phone, social media, and social engineering techniques to entice a victim to share sensitive information — such as passwords or account numbers. Spear Phishing- type of phishing attack that targets specific individuals or organizations typically through malicious emails. Whaling- is a type of social engineering attack specifically targeting senior or C-level executive employees with the purpose of stealing money or information, or gaining access to the person’s computer in order to execute further cyberattacks. Common types cyberattacks Smishing- is the act of sending fraudulent text messages designed to trick individuals into sharing sensitive data such as passwords, usernames and credit card numbers. Vishing- a voice phishing attack, is the fraudulent use of phone calls and voice messages pretending to be from a reputable organization to convince individuals to reveal private information such as bank details and passwords. Spoofing- is a technique through which a cybercriminal disguises themselves as a known or trusted source. Man-in-the-middle attack- is a type of cyberattack in which an attacker eavesdrops on a conversation between two targets with the goal of collecting personal data, (passwords or banking details). Social engineering- is a technique where attackers use psychological tactics to manipulate people into taking a desired action. Tailgating/piggybacking- is a type of physical security breach in which an unauthorized person follows an authorized individual to enter secured premises. Asset Security IAS Module 2.1 Information and Asset Classification What is Information classification? Information classification is a process used in information security to categorize data based on its level of sensitivity and importance. The purpose of classification is to protect sensitive information by implementing appropriate security controls based on the level of risk associated with that information. There are several different classification schemes that organizations can use, but they generally include a few common levels of classification, such as: Public- Information that is not sensitive and can be shared freely with anyone. Internal- Information that is sensitive but not critical, and should only be shared within the organization. Confidential- Information that is sensitive and requires protection, and should only be shared with authorized individuals or groups. Secret- Information that is extremely sensitive and requires the highest level of protection, and should only be shared with a select group of authorized individuals. Top Secret- Information that if disclosed would cause exceptionally grave damage to the national security and access to this information is restricted to a very small number of authorized individuals with a need-to-know. Information classification also includes a process of labeling the information with the appropriate classification level and implementing access controls to ensure that only authorized individuals can access the information. This is done through the use of security technologies such as firewalls, intrusion detection systems, and encryption. How to classify information? How to classify information? Classifying information may seem easy, but when we talk about information in high volume, variety and importance, carrying out this task becomes a lot more complex. There are three steps that make this process easier to follow: 1. Assigning value to the information assets. 2. Label each information asset. 3. Method of handling each information asset. Assigning value to the information assets To have an efficient classification of information, the organization should assign a value to each information asset, according to the risk of loss or harm from disclosure. Confidential Information – information that is protected as confidential by all entities included or impacted by the information. The highest level of security measures should be applied to such data. Classified Information – information that has restricted access as per law or regulation. Restricted Information – information that is available to most but not all employees. Internal Information – information that is accessible by all employees Public Information – information that everyone within and outside the organization can access Label each information asset After classifying information by its value, the asset owner should implement a clear and consistent labeling system for both physical and digital data. This system can use numeric or alphabetic order, as long as it's easy to understand and follow. Adding visual labels to document headers and footers helps raise security awareness, encouraging employees to avoid sharing sensitive information through USB drives, email, or cloud services. Method of handling each information asset Finally, after classifying and labeling its information assets, the organization should establish rules and a plan to protect them according to their classification. For example, public information can be stored in accessible locations or shared on the company’s social media, while classified information should be securely locked away, either on a safe server or physically monitored by security personnel. Data and System ownership Data Ownership Data ownership is a fundamental concept within data governance that plays a crucial role in ensuring the effective management, accountability, and utilization of data assets. Data ownership refers to the designation of authority over specific sets of data. It defines who has the legal right to control, utilize, and manage that data. System Ownership System ownership, on the other hand, involves responsibility for the maintenance, operation, and security of a specific IT system. The system owner ensures the system runs smoothly, is updated regularly, and is protected against security threats. Importance of Data Ownership Accountability and Decision-Making- Data ownership provides a clear line of accountability for the management and integrity of data. When a designated owner is responsible for a specific data set, they take ownership of its quality, accuracy, and compliance with regulatory requirements. This accountability ensures that data-related decisions can be made promptly, leading to faster and more effective decision-making processes. Importance of Data Ownership Data Governance Framework- Data ownership serves as a foundational element of a robust data governance framework. It establishes roles, responsibilities, and decision-making authority, enabling organizations to define and enforce data-related policies, standards, and processes. Without clear data ownership, data governance initiatives can become fragmented, leading to inconsistent practices and hindered data management efforts. Importance of Data Ownership Data Quality and Integrity- Data ownership plays a pivotal role in ensuring data quality and integrity. When data ownership is clearly assigned, the designated owner takes responsibility for maintaining data accuracy, completeness, and consistency. They are motivated to implement data quality measures, establish data validation processes, and enforce data governance policies to safeguard data integrity. Compliance and Regulatory Requirements- Data ownership is closely linked to compliance with regulatory requirements. Designating data owners ensures that individuals are accountable for understanding and adhering to data protection and privacy regulations. Data owners can monitor data usage, implement necessary security measures, and ensure compliance with legal obligations, mitigating risks associated with data breaches and non-compliance. How can I protect my privacy? Privacy concerns have become increasingly significant as more personal and sensitive data is collected and shared online. Here are some key aspects to consider: Privacy Concerns Privacy Laws Measures to Protect Personal Data Privacy Concerns Data Breaches: Unauthorized access to personal data can lead to identity theft, financial loss, and privacy violations. Surveillance: Governments and organizations may monitor individuals’ activities, raising concerns about privacy and civil liberties. Data Misuse: Companies may use personal data for purposes beyond what users consented to, such as targeted advertising or selling data to third parties. Privacy Laws General Data Protection Regulation (GDPR): This EU regulation provides comprehensive data protection and privacy for individuals within the European Union. It mandates strict consent requirements and gives individuals the right to access and delete their data. Health Insurance Portability and Accountability Act (HIPAA): In the U.S., HIPAA protects sensitive health information from being disclosed without the patient’s consent or knowledge. California Consumer Privacy Act (CCPA): This law gives California residents the right to know what personal data is being collected about them, to whom it is being sold, and the ability to access and delete their data. Measures to Protect Personal Data Encryption: Encrypting data ensures that it is unreadable to unauthorized users. Access Controls: Implementing strict access controls helps ensure that only authorized individuals can access sensitive data. Regular Audits: Conducting regular audits and assessments can help identify and mitigate potential vulnerabilities. User Education: Educating users about privacy risks and safe practices can empower them to protect their own data. Recent Development In 2024, President Biden issued an executive order to protect Americans’ sensitive personal data from exploitation by countries of concern. This order includes regulations to safeguard genomic data, biometric data, personal health data, geolocation data, financial data, and other personal identifiers. Key Aspects: Regulation of Sensitive Data: The order imposes new restrictions on sharing and processing sensitive personal data, particularly when it could be accessed by foreign governments. Stronger Consumer Protections: The executive order strengthens consumer rights, allowing Americans to have more control over who can access their personal data. Thank you!