Week 13 Security in Organisation Domain.pptx

Full Transcript

CSF
Lecture

L Security in the
E Organisation Domain
C
T
U
R
E
8
 Official (Closed) - Sensitive
Official

Learning Outcomes
Normal
Open

 At the end of this topic, the students are expected to be able to
demonstrate understanding of concepts in Security in the
Organization Domain

Last update: 7/23/24 01:23 AM
CSF 2
 Official (Closed) - Sensitive
Official
Normal
Open

Seven Security Domains

Last update: 7/23/24 01:23 AM
CSF 3
 Official (Closed) - Sensitive
Official
Normal
Learning Objectives
Open

This lecture is comprised of the following
sections:

 Organisational Security
 Information Security Governance
 Policies
 Law and Regulations
 Risk Management

Last update: 7/23/24 01:23 AM
CSF 4
 Official (Closed) - Sensitive
Official

Organisational Security
Normal
Open

What is Organisational Security?
It is an appropriate level of security, working together in team
communication and information management practices to
achieve a goal.

The purpose is to establish the minimum administrative,
technical, and physical safeguards that will be utilized by
organization to protect sensitive information from unauthorized
access, disclosure, corruption, or destruction.

Last update: 7/23/24 01:23 AM
CSF 5
 Official (Closed) - Sensitive
Official

Organisational Security
Normal
Open

What is Organisational Security?
mostly concerned with people, processes, and procedures.
needs to ensure that employees know what to do in certain situations.
Be it some sort of security incident or natural disaster, all employees
need to understand their roles and responsibilities and the procedures
they need to follow.
Formalized policies and procedures - crucial in ensuring employees
understand and follow the security guidelines.

Last update: 7/23/24 01:23 AM
CSF 6
 Official (Closed) - Sensitive
Official

Organisational Security
Normal
Open

What is Organisational Security?

Information Security Governance
Security Policies
Law & Regulations
Risk Management

Last update: 7/23/24 01:23 AM
CSF 7
 Official (Closed) - Sensitive
Official

Information Security Governance
Normal
Open

What is Information Security Governance?

Information security governance is defined as

“a subset of enterprise governance that provides strategic
direction, ensures that objectives are achieved, manages risk
appropriately, uses organizational resources responsibly, and
monitors the success or failure of the enterprise security program”

Last update: 7/23/24 01:23 AM
CSF 8
 Official (Closed) - Sensitive
Official
Normal
Open

Security Policies
Information security policy is an aggregate of directives, rules, and practices that
prescribes how an organization manages, protects, and distributes information.

Information security policy is an essential component of information security
governance---without the policy, governance has no substance and rules to enforce.

Information security policy should be based on a combination of appropriate
legislation, such as CMA; applicable standards, such as NIST Federal Information
Processing Standards (FIPS) and guidance; and internal agency requirements.

Without proper policies in place, it would be leaving ourselves at the mercy of cybercriminals.

Last update: 7/23/24 01:23 AM
CSF 9
 Official (Closed) - Sensitive
Official

Policies, Standards, Guidelines and Procedures
Normal
Open

Types of polices and documents in place:
Policies
Policy is a simple document stating that their particular high-level control
objective is important to the organization’s success. (Mandatory compliance).

Standards
Standard documents are to ensure uniform application of a policy after approval
(Mandatory compliance).

Guidelines
Intended to provide advice pertaining to how organizational objectives might be obtained
in the absence of a standard. Guidelines are often non-Mandatory compliance.

Procedures
Good procedures include common troubleshooting steps in case the user encounters a
known problem. Compliance with established procedures is mandatory to ensure
consistency and accuracy.
Last update: 7/23/24 01:23 AM
CSF 10
 Official (Closed) - Sensitive
Official

Law & Regulations
Normal
Open

A variety of laws and regulations have surfaced over the past decade
in an attempt to strengthen the security of information stored within the
companies.
As a results, various security control “standards” and “frameworks”
have evolved to meet the requirement of the laws.
Laws and regulations are developed at a higher “what needs to
happen” level
Standards and control frameworks are needed to ensure security is
planned, organized, implemented, tested, and monitored.

Last update: 7/23/24 01:23 AM
CSF 11
 Official (Closed) - Sensitive
Official

Law & Regulations
Normal
Open

Many countries have their own national laws and regulations governing information security but
movement of data across time zones and international boundaries has complicated the issue of
legal jurisdiction.
Relevant laws dealing with computer crime and security in Singapore include:
Electronic Transactions Act 2010 - provide a legal foundation for electronic signatures and gives
predictability and certainty to contracts formed electronically.
Computer Misuse Act 1993 - defined a class of critical computer systems and provided them with greater
protection.
Personal Data Protection Act 2012 (amended Feb 2021) - Imposes a number of data protection
obligations on organisations, in respect of personal data.
Cybersecurity Act 2018 (amended 2024) - Sets out a framework for the monitoring of Critical Information
Infrastructures (CII) including imposing obligations on owners of CIIs to report cybersecurity incidents and
provides for the appointment of a Commissioner of Cybersecurity to, amongst others, oversee and promote the
cybersecurity of computers and computer systems in Singapore.

Last update: 7/23/24 01:23 AM
CSF 12
 Official (Closed) - Sensitive
Official

Risk Management
Normal
Open

The risks modern organizations face have grown more complex, fueled by the
rapid pace of globalization.

New risks are constantly emerging, often related to and generated by the now-
pervasive use of digital technology.

Information security risk management – “process of identifying, evaluating,
and treating risks around the organisation’s valuable information. It addresses
uncertainties around those assets to ensure the desired business outcomes are
achieved”.

A successful risk management program
helps an organization consider the full range of risks it faces.
examines the relationship between risks and the cascading impact they
could have on an organization's strategic goals.

Last update: 7/23/24 01:23 AM
CSF 13
 Official (Closed) - Sensitive
Official

Summary
Normal
Open

 Law & Regulations
 IT Governance
 Policies
 Risk Management
Last update: 7/23/24 01:23 AM
CSF 14
 Official (Closed) - Sensitive
Official

For Reference Only
Normal
Open

 Personal Data Protection Act
 For reference

Last update: 7/23/24 01:23 AM
CSF 15
 Official (Closed) - Sensitive
Official

Singapore PDPA Law
Normal
Open

What is Personal Data
Protection Act?

Any data that is about you may be considered personal data. Personal
data under the PDPA may include the following:
 Full name
 NRIC, or passport number
 Photograph or video image of an individual
 Mobile telephone number
 Personal email address
 Thumbprint
 Name and residential address

Last update: 7/23/24 01:23 AM
CSF 16
 Official (Closed) - Sensitive
Official

PDPA – Providing Consent
Normal
Open

Personal Data Protection Act

Organisations will have to let you know why they are asking
you for your personal data and obtain your consent before
collecting, using or disclosing your personal data.

If you willingly provide your personal data for a particular
purpose, you may also be allowing organisations to collect,
use or disclose your personal data. This is known as
“deemed consent”.

Last update: 7/23/24 01:23 AM
CSF 17
 Official (Closed) - Sensitive
Official

PDPA - Withdrawing Consent
Normal
Open

Personal Data Protection Act
You may tell an organisation to stop collecting, using or
disclosing your personal data. The organisation should
inform you of the likely consequences of your withdrawal
before processing the request.

However, the organisation is not required to delete or
destroy your personal data and may retain it for as long
as there are business or legal needs.

Last update: 7/23/24 01:23 AM
CSF 18
 Official (Closed) - Sensitive
Official

PDPA - Requesting Access (1)
Normal
Open

Personal Data Protection Act

You may request to see the personal data that an
organisation has about you. You can also check how
your personal data has or may have been used or
disclosed in the past year.

Do note that organisations may levy an administrative
fee for each access request or reject the request if it is
considered frivolous.

Last update: 7/23/24 01:23 AM
CSF 19
 Official (Closed) - Sensitive
Official

PDPA - Requesting Access (2)
Normal
Open

Personal Data Protection Act

Organisations also cannot grant access if giving you the
personal data could:
 Cause immediate or serious harm to your safety or
physical/mental health;
 Threaten the safety or physical/mental health of someone
else;
 Reveal someone else’s personal data;
 Reveal the identity of the person who provided your personal
data; or
 Be contrary to the national interest.

Last update: 7/23/24 01:23 AM
CSF 20
 Official (Closed) - Sensitive
Official

PDPA – Requesting Correction
Normal
Open

Personal Data Protection Act

You may request to correct an error or omission in your
personal data held by the organisation. Unless the
organisation has a valid reason not to make the correction,
it should correct the data and send it to organisations which
have received it in the past year; or if you agree, only to
specific organisations to which the personal data was
disclosed.

Last update: 7/23/24 01:23 AM
CSF 21
 Official (Closed) - Sensitive
Official

Singapore Law – Data Retension
Normal
Open

Data Retention Law (Singapore)

You should keep proper records and accounts so that the income
earned and expenses claimed can be readily determined. You are
required to keep your records for 5 years. Examples of the records
are Forms IR8A, business expense receipts, payslips, CPF
statements

How Long Should Company Records be Kept For?
The records must be retained for at least 5 years from the end of
the financial year in which the relevant transactions were made.

Last update: 7/23/24 01:23 AM
CSF 22