Information Security Management Study Material PDF

Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Study Material (Information Security Management – BNC30109) Table of Contents Sl. Content Page No No. 1. Module I: Governance 2-33 2. Module II: Risk Management & Compliance 34-54 3. Module III: Information Security Management Controls 55-90 4. Module IV: Audit Management 91-112 5. Module V: Access Control & Social Engineering, Phishing Attacks, Identity Theft 113-133 Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 1 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 MODULE I: GOVERNANCE Governance in cybersecurity refers to the framework of policies, procedures, and controls that an organization implements to manage its cybersecurity risks and ensure the protection of its information assets. It encompasses the overall management approach that ensures the organization aligns its cybersecurity strategies with its business objectives, regulatory requirements, and risk tolerance. Here are the key components and principles of cybersecurity governance in detail: 1. Leadership and Accountability a.Board and Executive Involvement: Cybersecurity governance starts at the top. The board of directors and executive management must be actively involved in setting the cybersecurity agenda, understanding the risks, and ensuring that appropriate resources are allocated. b. Chief Information Security Officer (CISO): The CISO plays a critical role in leading the cybersecurity efforts, developing strategies, and ensuring that the cybersecurity policies are implemented effectively. 2. Policies and Procedures a. Security Policies: Organizations must develop comprehensive security policies that define the expectations, responsibilities, and acceptable behaviors for all employees and stakeholders. These policies should cover areas such as data protection, access control, incident response, and acceptable use of technology. b. Procedures and Guidelines: Detailed procedures and guidelines should be established to provide step-by-step instructions on how to implement the security policies. This includes technical controls, administrative processes, and user practices. 3. Risk Management a. Risk Assessment: Conduct regular risk assessments to identify and evaluate the cybersecurity threats and vulnerabilities that could impact the organization. This helps in understanding the potential impact and likelihood of various cyber risks. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 2 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 b. Risk Mitigation: Develop and implement strategies to mitigate identified risks. This may include deploying technical controls, enhancing security awareness, and improving incident response capabilities. 4. Compliance and Legal Requirements a. Regulatory Compliance: Ensure that the organization complies with relevant laws, regulations, and standards related to cybersecurity. This may include GDPR, HIPAA, PCI-DSS, and other industry-specific requirements. b. Legal Framework: Establish a legal framework that addresses issues such as data breach notification, privacy protection, and intellectual property rights. 5. Incident Response and Management a. Incident Response Plan: Develop and maintain an incident response plan that outlines the steps to be taken in the event of a cybersecurity incident. This plan should include roles and responsibilities, communication protocols, and recovery procedures. b. Incident Management Team: Establish an incident management team with clearly defined roles and responsibilities. This team should be trained to respond effectively to various types of cyber incidents. 6. Monitoring and Reporting a. Continuous Monitoring: Implement continuous monitoring mechanisms to detect and respond to cybersecurity threats in real- time. This includes using security information and event management (SIEM) systems, intrusion detection systems (IDS), and other monitoring tools. b. Reporting and Metrics: Develop a reporting structure that provides regular updates on the cybersecurity posture to the board, executive management, and other stakeholders. Use metrics and key performance indicators (KPIs) to measure the effectiveness of the cybersecurity program. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 3 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 7. Training and Awareness a. Security Awareness Programs: Conduct regular security awareness programs to educate employees and stakeholders about cybersecurity risks and best practices. This helps in creating a culture of security within the organization. b. Specialized Training: Provide specialized training for IT staff, security professionals, and other key personnel to ensure they have the necessary skills and knowledge to manage cybersecurity effectively. 8. Technology and Infrastructure a. Secure Architecture: Design and implement a secure IT architecture that incorporates security principles such as defense in depth, least privilege, and secure coding practices. b. Access Controls: Implement robust access control mechanisms to ensure that only authorized individuals have access to sensitive information and critical systems. 9. Third-Party Management a. Vendor Risk Management: Assess the cybersecurity posture of third-party vendors and service providers. Ensure that they adhere to the organization's security policies and contractual obligations. b. Supply Chain Security: Implement controls to protect the supply chain from cyber threats, including validating the security practices of suppliers and partners. 10. Continuous Improvement a. Regular Audits and Reviews: Conduct regular audits and reviews of the cybersecurity program to identify areas for improvement. This includes internal audits, third-party assessments, and vulnerability assessments. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 4 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 b. Adaptation and Evolution: Continuously adapt and evolve the cybersecurity strategies to address emerging threats, changing technologies, and evolving business requirements. Implement, Manage and Maintain an Information Security Governance Program Implementing, managing, and maintaining an Information Security Governance (ISG) program involves a series of structured steps that align security objectives with business goals, ensure regulatory compliance, and effectively manage risks. Here’s a detailed guide to achieving this: 1. Establish a Governance Framework a. Define Objectives: Align information security objectives with business goals. Ensure compliance with legal and regulatory requirements. Manage and mitigate information security risks. b. Develop Security Policies: Create comprehensive security policies that outline expectations, responsibilities, and acceptable behaviors. Ensure policies cover areas like data protection, access control, incident response, and acceptable use of technology. c. Create a Governance Structure: Establish an information security governance committee that includes senior management, IT leaders, and other key stakeholders. Define roles and responsibilities for information security within the organization. 2. Risk Management a. Conduct Risk Assessments: Identify and evaluate risks to information assets. Assess the potential impact and likelihood of identified risks. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 5 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 b. Develop Risk Mitigation Strategies: Implement technical, administrative, and physical controls to mitigate identified risks. Prioritize risk mitigation activities based on risk assessments. c. Implement a Risk Management Framework: Use frameworks like NIST, ISO 27001, or COBIT to guide risk management practices. 3. Develop and Implement Controls a. Technical Controls: Deploy firewalls, intrusion detection/prevention systems, encryption, and access controls. Regularly update and patch systems to protect against vulnerabilities. b. Administrative Controls: Establish clear policies and procedures for information security. Ensure security policies are communicated and understood across the organization. c. Physical Controls: Implement physical security measures to protect against unauthorized access to facilities and equipment. 4. Incident Response and Management a. Develop an Incident Response Plan: Outline procedures for identifying, responding to, and recovering from security incidents. Define roles and responsibilities for the incident response team. b. Establish an Incident Management Team: Train and equip a team to handle various types of security incidents. Conduct regular incident response drills and simulations. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 6 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 c. Post-Incident Review: Analyze incidents to identify root causes and lessons learned. Update policies, procedures, and controls based on incident reviews. 5. Monitoring and Reporting a. Implement Continuous Monitoring: Use security information and event management (SIEM) systems, intrusion detection systems (IDS), and other monitoring tools. Regularly review logs and alerts to detect potential security incidents. b. Develop Reporting Mechanisms: Create regular reports on the organization's security posture for senior management and the board of directors. Use key performance indicators (KPIs) and metrics to measure the effectiveness of the security program. 6. Training and Awareness a. Conduct Security Awareness Programs: Educate employees and stakeholders about cybersecurity risks and best practices. Develop targeted training programs for different roles and departments. b. Specialized Training: Provide in-depth training for IT staff, security professionals, and other key personnel. Stay updated with the latest threats and security technologies through continuous education. 7. Compliance and Legal Requirements a. Ensure Regulatory Compliance: Identify applicable laws, regulations, and standards (e.g., GDPR, HIPAA, PCI-DSS). Implement controls and procedures to ensure compliance with these requirements. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 7 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 b. Conduct Regular Audits: Perform internal and external audits to verify compliance with security policies and regulatory requirements. Address audit findings and implement corrective actions. 8. Third-Party Management a. Vendor Risk Management: Assess the cybersecurity posture of third-party vendors and service providers. Include security requirements in contracts and service level agreements (SLAs). b. Supply Chain Security: Ensure that suppliers and partners adhere to security best practices. Regularly review and update third-party risk management processes. 9. Technology and Infrastructure a. Secure IT Architecture: Design and implement a secure IT architecture based on security principles such as defense in depth, least privilege, and secure coding practices. Regularly review and update the architecture to address new threats and technologies. b. Access Control Mechanisms: Implement robust access controls to ensure that only authorized individuals have access to sensitive information and critical systems. Use multi-factor authentication (MFA) and role-based access control (RBAC) to enhance security. 10. Continuous Improvement a. Regular Reviews and Updates: Conduct regular reviews of the information security governance program to identify areas for improvement. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 8 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Update policies, procedures, and controls based on the latest security trends and threat intelligence. b. Feedback and Adaptation: Solicit feedback from stakeholders and incorporate it into the governance program. Adapt and evolve the program to address changing business needs and emerging threats. Effective leadership, organizational structures, and processes are crucial components of governance in cybersecurity. They ensure that cybersecurity initiatives are aligned with business objectives, risks are managed effectively, and compliance requirements are met. Here's a detailed breakdown: Leadership in Cybersecurity Governance 1. Executive Commitment: Board of Directors: The board is responsible for setting the overall direction and strategy for cybersecurity. They should understand the risks and implications of cybersecurity threats and allocate appropriate resources to manage these risks. Executive Management: Senior executives, including the CEO and CFO, must prioritize cybersecurity and integrate it into the organization’s strategic planning. They are responsible for ensuring that cybersecurity is a key component of business operations. 2. Chief Information Security Officer (CISO): Role and Responsibilities: The CISO is the primary executive responsible for cybersecurity. They develop and implement the organization’s cybersecurity strategy, manage security policies, and oversee incident response. Reporting Structure: The CISO should report directly to senior management or the board to ensure that cybersecurity is given the necessary attention and resources. 3. Security Leadership Team: Composition: This team typically includes the CISO, IT security managers, risk managers, compliance officers, and other key stakeholders. Functions: The team collaborates on developing security strategies, implementing controls, and responding to incidents. They ensure that security initiatives are aligned with business goals and regulatory requirements. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 9 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Organizational Structures for Cybersecurity Governance 1. Governance Committees: Information Security Governance Committee: This committee includes representatives from various departments such as IT, legal, HR, finance, and operations. It is responsible for overseeing the development and implementation of security policies and procedures. Risk Management Committee: This committee focuses on identifying, assessing, and mitigating risks. It ensures that risk management practices are integrated into the organization’s overall strategy. 2. Cybersecurity Teams: Security Operations Center (SOC): The SOC monitors and analyzes security events in real- time. It is responsible for detecting, responding to, and mitigating cybersecurity incidents. Incident Response Team: This team is activated during security incidents. They follow predefined procedures to contain and remediate incidents, conduct post-incident analysis, and implement improvements. 3. Cross-Functional Collaboration: Interdepartmental Coordination: Effective cybersecurity governance requires collaboration between IT, legal, HR, finance, and other departments. This ensures that security policies are comprehensive and address all aspects of the organization. Third-Party Coordination: Organizations must work closely with vendors, partners, and other third parties to ensure that they adhere to security requirements and do not introduce vulnerabilities. Processes in Cybersecurity Governance 1. Policy Development and Management: Security Policies: Develop comprehensive security policies that define the organization’s security objectives, roles, and responsibilities. These policies should cover areas such as data protection, access control, incident response, and acceptable use of technology. Policy Review and Update: Regularly review and update security policies to ensure they remain relevant and effective in addressing evolving threats and business needs. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 10 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 2. Risk Management: Risk Assessment: Conduct regular risk assessments to identify and evaluate cybersecurity threats and vulnerabilities. This helps in understanding the potential impact and likelihood of various risks. Risk Mitigation: Develop and implement strategies to mitigate identified risks. This includes deploying technical controls, enhancing security awareness, and improving incident response capabilities. 3. Incident Response and Management: Incident Response Plan: Develop and maintain an incident response plan that outlines the steps to be taken in the event of a cybersecurity incident. This plan should include roles and responsibilities, communication protocols, and recovery procedures. Incident Management Lifecycle: Implement a structured process for detecting, reporting, responding to, and recovering from incidents. Conduct post-incident reviews to identify lessons learned and improve response capabilities. 4. Continuous Monitoring and Reporting: Continuous Monitoring: Implement mechanisms to continuously monitor the organization’s security posture. Use tools such as security information and event management (SIEM) systems, intrusion detection systems (IDS), and vulnerability scanners. Reporting and Metrics: Develop a reporting structure that provides regular updates on the organization’s security posture to the board, executive management, and other stakeholders. Use metrics and key performance indicators (KPIs) to measure the effectiveness of the cybersecurity program. 5. Training and Awareness: Security Awareness Programs: Conduct regular security awareness programs to educate employees and stakeholders about cybersecurity risks and best practices. This helps in creating a culture of security within the organization. Specialized Training: Provide specialized training for IT staff, security professionals, and other key personnel to ensure they have the necessary skills and knowledge to manage cybersecurity effectively. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 11 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 6. Compliance and Legal Requirements: Regulatory Compliance: Ensure that the organization complies with relevant laws, regulations, and standards related to cybersecurity. This may include GDPR, HIPAA, PCI-DSS, and other industry-specific requirements. Audits and Reviews: Conduct regular audits and reviews of the cybersecurity program to identify areas for improvement. This includes internal audits, third-party assessments, and vulnerability assessments. Effective leadership, well-defined organizational structures, and robust processes are essential components of cybersecurity governance. By establishing a clear governance framework, involving senior leadership, creating cross-functional teams, and implementing comprehensive policies and procedures, organizations can ensure that their cybersecurity efforts are aligned with business objectives, manage risks effectively, and comply with regulatory requirements. Information Security Management Structure A robust Information Security Management Structure is essential for safeguarding an organization's information assets, ensuring regulatory compliance, and managing cyber risks. This structure involves a coordinated effort across various levels of the organization, from executive leadership to operational staff. Here is a detailed breakdown of an effective Information Security Management Structure: 1. Executive Leadership a. Board of Directors: Role: Sets the overall direction and strategy for information security, ensuring it aligns with the organization's business objectives and risk appetite. Responsibilities: Approves the information security policy, allocates resources, and oversees the effectiveness of the security program. b. Chief Executive Officer (CEO): Role: Provides executive sponsorship and support for the information security program. Responsibilities: Ensures that information security is integrated into the organizational culture and strategic planning. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 12 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 2. Information Security Leadership a. Chief Information Security Officer (CISO): Role: Leads the information security program, develops strategies, and ensures the implementation of security policies and controls. Responsibilities: Manages the information security team, oversees risk management, incident response, and compliance efforts. Reports directly to senior management or the board. b. Information Security Steering Committee: Role: Provides governance and oversight of the information security program. Responsibilities: Includes representatives from various departments (IT, legal, HR, finance, operations) and ensures that security policies are aligned with business objectives and regulatory requirements. 3. Security Management and Operations a. Information Security Manager: Role: Manages day-to-day operations of the information security program. Responsibilities: Oversees the implementation of security policies, manages security projects, and coordinates with other departments. b. Security Operations Center (SOC): Role: Monitors and analyzes security events in real-time. Responsibilities: Detects, responds to, and mitigates security incidents. Manages security information and event management (SIEM) systems, intrusion detection systems (IDS), and other monitoring tools. c. Incident Response Team: Role: Responds to and manages security incidents. Responsibilities: Follows predefined incident response procedures, conducts investigations, and implements remediation measures. Performs post-incident analysis to improve response capabilities. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 13 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 4. Risk Management and Compliance a. Risk Management Team: Role: Identifies, assesses, and mitigates information security risks. Responsibilities: Conducts risk assessments, develops risk mitigation strategies, and monitors risk management activities. Ensures that risk management practices are integrated into business processes. b. Compliance Officer: Role: Ensures that the organization complies with relevant laws, regulations, and standards. Responsibilities: Monitors compliance with security policies and regulatory requirements, conducts audits and assessments, and manages relationships with regulatory bodies. 5. Technical and Operational Security a. IT Security Team: Role: Implements and manages technical security controls. Responsibilities: Deploys and maintains firewalls, encryption, access controls, and other security technologies. Conducts vulnerability assessments and penetration testing. b. Network Security Team: Role: Protects the organization's network infrastructure. Responsibilities: Manages network security devices, monitors network traffic, and responds to network-based threats. c. Application Security Team: Role: Ensures the security of software applications. Responsibilities: Reviews and tests application code for vulnerabilities, implements secure coding practices, and manages application security tools. 6. Administrative and Physical Security a. Human Resources (HR): Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 14 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Role: Manages the human element of information security. Responsibilities: Implements security awareness programs, conducts background checks, and enforces security policies related to employee behavior. b. Physical Security Team: Role: Protects the organization's physical assets. Responsibilities: Implements physical security measures such as access controls, surveillance systems, and environmental controls to protect data centers and other critical facilities. 7. Training and Awareness a. Security Awareness Team: Role: Educates employees and stakeholders about cybersecurity risks and best practices. Responsibilities: Develops and delivers security awareness programs, conducts training sessions, and measures the effectiveness of awareness initiatives. b. Specialized Training Programs: Role: Provides in-depth training for IT staff, security professionals, and other key personnel. Responsibilities: Ensures that staff have the necessary skills and knowledge to manage cybersecurity effectively. Offers continuous education to keep up with the latest threats and technologies. 8. Continuous Improvement a. Audit and Review Team: Role: Conducts regular audits and reviews of the information security program. Responsibilities: Identifies areas for improvement, assesses the effectiveness of security controls, and ensures compliance with policies and regulations. b. Feedback and Adaptation: Role: Collects and analyzes feedback from stakeholders to improve the security program. Responsibilities: Adapts and evolves the program to address changing business needs, emerging threats, and advancements in technology. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 15 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Establish a framework for information security governance monitoring (considering cost/benefits analyses of controls and ROI). Establishing a framework for information security governance monitoring involves setting up a structured approach to evaluate and oversee the implementation and effectiveness of security measures. This framework should include mechanisms for cost/benefit analysis and return on investment (ROI) calculations to ensure that the organization’s resources are used efficiently. Here’s a detailed guide to creating this framework: 1. Define Objectives and Scope a. Objectives: Ensure the effectiveness of security controls. Align security investments with business goals. Optimize resource allocation. Demonstrate compliance with regulatory requirements. b. Scope: Determine the systems, processes, and assets to be monitored. Define the boundaries of the monitoring activities. 2. Develop Governance Structure a. Leadership and Accountability: Establish a governance committee with representatives from senior management, IT, finance, and other relevant departments. Assign clear roles and responsibilities for monitoring activities. b. Policy Framework: Develop and document information security policies, standards, and procedures that guide the monitoring activities. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 16 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 3. Identify and Categorize Assets a. Asset Inventory: Create a comprehensive inventory of all information assets, including hardware, software, data, and personnel. b. Asset Classification: Classify assets based on their criticality and sensitivity to prioritize monitoring efforts. 4. Risk Assessment and Management a. Risk Identification: Conduct regular risk assessments to identify potential threats and vulnerabilities to the organization’s assets. b. Risk Analysis: Evaluate the likelihood and impact of identified risks. Prioritize risks based on their potential impact on business operations. c. Risk Mitigation: Develop and implement controls to mitigate identified risks. 5. Define Key Performance Indicators (KPIs) and Metrics a. KPIs: Establish KPIs to measure the effectiveness of security controls and the overall security posture of the organization. b. Metrics: Define specific metrics for each KPI, such as the number of detected incidents, time to resolve incidents, and percentage of compliance with security policies. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 17 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 6. Implement Monitoring Tools and Techniques a. Continuous Monitoring: Deploy security information and event management (SIEM) systems, intrusion detection systems (IDS), and other monitoring tools to continuously monitor security events and incidents. b. Regular Audits and Assessments: Conduct regular internal and external audits to assess compliance with security policies and the effectiveness of controls. 7. Cost/Benefit Analysis of Controls a. Identify Costs: Calculate the total cost of implementing and maintaining each security control, including initial investment, operational costs, and indirect costs (e.g., impact on productivity). b. Identify Benefits: Estimate the benefits of each control, such as risk reduction, compliance, and improved operational efficiency. c. Perform Analysis: Use cost/benefit analysis techniques to compare the costs and benefits of each control. Prioritize controls that offer the highest return on investment (ROI). 8. Return on Investment (ROI) Calculations a. Define ROI Metrics: Establish metrics for calculating ROI, such as the reduction in the number of incidents, cost savings from avoided breaches, and productivity gains. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 18 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 b. Calculate ROI: Use the formula: ROI = Total Costs Net \ Benefits × 100 Net Benefits = Total Benefits - Total Costs. c. Evaluate and Prioritize: Evaluate the ROI of each control and prioritize investments based on the calculated ROI. 9. Reporting and Communication a. Regular Reporting: Develop a reporting structure that provides regular updates on the organization’s security posture to senior management, the board of directors, and other stakeholders. b. Communication Plan: Establish a communication plan to ensure that all relevant parties are informed about the results of monitoring activities, including identified risks, incidents, and the effectiveness of controls. 10. Continuous Improvement a. Feedback Mechanism: Implement a feedback mechanism to gather input from stakeholders on the effectiveness of the monitoring framework and areas for improvement. b. Update and Adapt: Regularly review and update the monitoring framework to address emerging threats, changes in the business environment, and new regulatory requirements. Establishing a framework for information security governance monitoring involves a comprehensive approach that integrates risk management, performance measurement, cost/benefit analysis, and continuous improvement. By following these steps, organizations can ensure that their security Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 19 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 investments are aligned with business objectives, optimized for cost-effectiveness, and capable of effectively mitigating risks. This framework not only enhances the security posture but also provides a clear demonstration of the value and ROI of security initiatives to stakeholders. Questions 1. Define an information security governance program and its key components (leadership, structures, processes). 2. Describe the different roles and responsibilities within an information security management structure. 3. Examine the cost-benefit analysis of controls in information security governance monitoring. 4. State the benefits of having a well-defined information security governance program for an organization. 5. Explain the ROI in information security governance monitoring. 6. Classify the different types of information security policies based on their purpose (e.g., acceptable use, password). 7. Discuss the importance of aligning information security governance with the organization's overall strategy and risk management framework. 8. Distinguish between information security governance and information security management. 9. Estimate the potential cost of a security breach if an information security governance program is not in place. 10.Explain the role of leadership in fostering a culture of information security within the organization. 11.Define information security governance. 12.Explain the role of leadership in information security governance. 13.Describe the key components of an information security management structure. 14.Enumerate the benefits of implementing an information security governance program. 15.Distinguish between risk assessment and risk management in the context of information security. 16.Discuss the importance of cost-benefit analysis in selecting information security controls. 17.Explain the concept of Return on Investment (ROI) in information security. 18.Illustrate a framework for information security governance monitoring. 19.Illustrate how ISG monitoring can enhance an organization's resilience against cyberattacks. 20.Explain cost/benefits analysis of controls and ROI. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 20 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 MODULE II: RISK MANGEMENT & COMPLIANCE Cyber Security Risk Management Program Policy and Charter 1. Policy Overview Policy Name: Cyber Security Risk Management Policy Policy Number: Effective Date: Last Reviewed: Next Review Date: Policy Owner: Chief Information Security Officer (CISO) Approval: CEO 2. Purpose The purpose of this Cyber Security Risk Management Policy is to establish a framework for identifying, assessing, managing, and mitigating risks associated with the organization’s information assets. This policy aims to ensure the protection of information assets, maintain regulatory compliance, and support the organization’s business objectives. 3. Scope This policy applies to all employees, contractors, consultants, temporary staff, and other workers at [Organization Name], including all personnel affiliated with third parties. It covers all information assets, including but not limited to data, systems, networks, and applications owned, operated, or managed by the organization. 4. Definitions Risk: The potential for loss or damage when a threat exploits a vulnerability. Threat: Any circumstance or event with the potential to cause harm to an information asset. Vulnerability: A weakness in an information asset that can be exploited by a threat. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 21 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Risk Assessment: The process of identifying, evaluating, and estimating the levels of risks. Risk Management: The process of identifying, assessing, and controlling risks. 5. Policy Statement Organization Name is committed to protecting its information assets through the implementation of a comprehensive cyber security risk management program. This program will: Identify and assess cyber security risks. Develop and implement strategies to mitigate identified risks. Ensure compliance with applicable laws, regulations, and industry standards. Continuously monitor and review the effectiveness of risk management controls and processes. Create a Risk Assessment Methodology & Framework There are many ways to perform a risk assessment, each with its own benefits and drawbacks. We will help you find which of these six risk assessment methodologies works best for your organization. What is Risk Assessment? Risk assessment is the way organizations decide what to do in the face of today’s complex security landscape. Threats and vulnerabilities are everywhere. They could come from an external actor or a careless user. They may even be built into the network infrastructure. Decision makers need to understand the urgency of the organization’s risks as well as how much mitigation efforts will cost. Risk assessments help set these priorities. They evaluate the potential impact and probability of each risk. Decision makers can then evaluate which mitigation efforts to prioritize within the context of the organization’s strategy, budget, and timelines. Risk Assessment Methodologies Organizations can take several approaches to assess risks—quantitative, qualitative, semi-quantitative, asset-based, vulnerability-based, or threat-based. Each methodology can evaluate an organization’s risk posture, but they all require trade-offs. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 22 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Quantitative Quantitative methods bring analytical rigor to the process. Assets and risks receive dollar values. The resulting risk assessment can then be presented in financial terms that executives and board members easily understand. Cost-benefit analyses let decision makers prioritize mitigation options. However, a quantitative methodology may not be appropriate. Some assets or risks are not easily quantifiable. Forcing them into this numerical approach requires judgment calls—undermining the assessment’s objectivity. Quantitative methods can also be quite complex. Communicating the results beyond the boardroom can be difficult. In addition, some organizations do not have the internal expertise that quantitative risk assessments require. Organizations often take on the added cost to bring in consultants’ technical and financial skills. Qualitative Where quantitative methods take a scientific approach to risk assessment, qualitative methods take a more journalistic approach. Assessors meet with people throughout the organization. Employees share how, or whether, they would get their jobs done should a system go offline. Assessors use this input to categorize risks on rough scales such as High, Medium, or Low. A qualitative risk assessment provides a general picture of how risks affect an organization’s operations. People across the organization are more likely to understand qualitative risk assessments. On the other hand, these approaches are inherently subjective. The assessment team must develop easily-explained scenarios, develop questions and interview methodologies that avoid bias, and then interpret the results. Without a solid financial foundation for cost-benefit analysis, mitigation options can be difficult to prioritize. Semi-Quantitative Some organizations will combine the previous methodologies to create semi-quantitative risk assessments. Using this approach, organizations will use a numerical scale, such as 1-10 or 1-100, to Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 23 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 assign a numerical risk value. Risk items that score in the lower third are grouped as low risk, the middle third as medium risk, and the higher third as high risk. Blending quantitative and qualitative methodologies avoids the intense probability and asset-value calculations of the former while producing more analytical assessments than the latter. Semi- quantitative methodologies can be more objective and provide a sound basis for prioritizing risk items. Asset-Based Traditionally, organizations take an asset-based approach to assessing IT risk. Assets are composed of the hardware, software, and networks that handle an organization’s information—plus the information itself. An asset-based assessment generally follows a four-step process: Inventory all assets. Evaluate the effectiveness of existing controls. Identify the threats and vulnerabilities of each asset. Assess each risk’s potential impact. Asset-based approaches are popular because they align with an IT department’s structure, operations, and culture. A firewall’s risks and controls are easy to understand. However, asset-based approaches cannot produce complete risk assessments. Some risks are not part of the information infrastructure. Policies, processes, and other “soft” factors can expose the organization to as much danger as an unpatched firewall. Vulnerability-Based Vulnerability-based methodologies expand the scope of risk assessments beyond an organization’s assets. This process starts with an examination of the known weaknesses and deficiencies within organizational systems or the environments those systems operate within. From there, assessors identify the possible threats that could exploit these vulnerabilities, along with the exploits’ potential consequences. Tying vulnerability-based risk assessments with an organization’s vulnerability management process demonstrates effective risk management and vulnerability management processes. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 24 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Although this approach captures more of the risks than a purely asset-based assessment, it is based on known vulnerabilities and may not capture the full range of threats an organization faces. Threat-Based Threat-based methods can supply a more complete assessment of an organization’s overall risk posture. This approach evaluates the conditions that create risk. An asset audit will be part of the assessment since assets and their controls contribute to these conditions. Threat-based approaches look beyond the physical infrastructure. By evaluating the techniques threat actors use, for example, assessments may re-prioritize mitigation options. Cybersecurity training mitigates social engineering attacks. An asset-based assessment may prioritize systemic controls over employee training. A threat-based assessment, on the other hand, may find that increasing the frequency of cybersecurity training reduces risk at a lower cost. Create a Risk Assessment Framework. What is a risk assessment framework and how does it work? A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure. A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. RAF has the three following important components: shared vocabulary consistent assessment methods reporting system Common risk assessment frameworks and techniques help an organization identify which systems are at low or high risk for abuse or attack. However, risk assessments are highly subjective, which means they cannot be relied on to consistently meet their objectives. As a result, subjectivity prevents RAFs from being used in verification audits, compliance reviews, etc. Nevertheless, the data provided by an RAF is useful for proactively addressing potential threats, planning budgets and creating a culture in which the value of data is understood and appreciated. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 25 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 The risk management process What are the different types of RAFs? There are several risk assessment frameworks accepted as industry standards. These include the following: Factor Analysis of Information Risk (FAIR); Committee of Sponsoring Organizations of the Treadway Commission (COSO) Risk Management Framework; Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 26 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Control Objectives for Information and Related Technology (COBIT) from the Information Systems Audit and Control Association; Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team; Risk Management Guide for Information Technology Systems from the National Institute of Standards (NIST); and Threat Agent Risk Assessment (TARA). These common risk assessment and risk management frameworks use different approaches to assess risk. For example, an information security risk assessment framework will assess IT risks like vulnerabilities, compliance, financial, operational and strategic risks. All of these risk assessment frameworks concentrate on identifying potential risks, measuring and evaluating the impact of those potential risks, categorizing and prioritizing risks, developing an action plan to mitigate risk and documenting responses. These RAFs also demand consistent monitoring, reviews, follow-ups and governance protocols. A risk assessment matrix includes two grids with an axis labeled How to create a risk assessment framework To create a risk management framework, an organization can use or modify the guides provided by NIST, OCTAVE or COBIT or create a framework that fits the organization's business requirements. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 27 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 When using a risk assessment framework template, it's important to leverage a uniform numerical scale of 1 to 10, where 10 represents the most unfavorable consequence. It can also be split into a bucket of five to provide a high and a low for each bucket. For example, 1-2, 3-4, 5-6 and so on. The use of uniform scales makes it easy to do the math during the assessment process. It also helps to provide a clear definition of what the numbers represent and reduce any ambiguity. Example of a 5x5 cybersecurity risk assessment matrix Regardless of the criteria that an organization chooses, everything must be represented on a 1–10 scale and calibrated. This approach enables the aggregation of assessments and offers a holistic view of risk. It also helps to leverage universal business elements to break down risk assessments into basic elements like processes, resources and protocols standardized across business units or silos. However, organizations need to conduct risk assessments of vendor characteristics separately to identify and maintain objectivity. By linking different elements together, for example, connecting vendors to products and services that business processes depend on, and by linking each financial component to the business process that contributes to it, organizations can arrive at a single overall score of each process to help prioritize focus. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 28 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Steps in an effective risk management process An IT risk assessment framework should have the following: 1. Categorize and take inventory of all IT assets, including hardware, software, data, processes and interfaces to external systems. 2. Identify threats. Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks. 3. Identify corresponding vulnerabilities. Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software or vendor issues should also be considered. 4. Prioritize potential risks. Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls and assigning risk levels. 5. Document risks and determine action. This is an ongoing process with a predetermined schedule for issuing reports. The report should document the risk level for all IT assets, define what level of risk an organization is willing to tolerate and accept, and identify procedures at each risk level for implementing and maintaining security controls. Create and Manage Risk Register What is a Risk Register? A risk register is an information repository an organization creates to document the risks they face and the responses they’re taking to address the risks. At a minimum, each risk documented in the risk Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 29 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 register should contain a description of a particular risk, the likelihood of it happening, its potential impact from a cost standpoint, how it ranks overall in priority relevant to all other risks, the response, and who owns the risk. Why is a risk register important? All types of organizations face a broad array of risks, including cybersecurity, financial, legal, operational, privacy, reputational, safety, strategic, and supply chain risks. It can be difficult to know what risks matter the most and ensure that certain risks such as cybersecurity risks and supply chain risks have adequate attention. Risk registers are useful information gathering constructs: They help senior leaders and operators see the full spectrum of their organization’s significant risks and understand how to best manage the risks in order to achieve organizational objectives. Thus, any organization that wants to maintain a robust risk management process should not skip the important step of creating a risk register. A risk register can be integrated into any risk management methodology your organization uses. Many resources — such as well-known frameworks from the Committee of Sponsoring Organizations (COSO), Office of Management and Budget (OMB) circulars, and the International Organization for Standardization (ISO) — document Enterprise Risk Management frameworks and processes. These different resources outline similar approaches: Identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. The risk register is a critical tool organization should use to track and communicate risk information for all of these steps throughout the enterprise. It serves as a key input for risk management decision-makers to consider. NIST’s latest risk document, “Integrating Cybersecurity and Enterprise Risk Management” was born from their observation that most organizations do not assess or measure cybersecurity risk with the same rigor or consistent methods as other types of risks. NIST wanted to help public and private sector organizations up level the quality of cyber risk information they collect and provide to their management teams and decision-makers. In turn, this practice would support better cybersecurity management at the enterprise level and support the firm’s core objectives. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 30 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Evaluate Risks by Identifying Threats and Opportunities For many, the term risks conjure up the idea of terrible events like data breaches, service disruptions, ransomware attacks, and natural disasters. Yet, NIST recommends that organizations take a balanced view when evaluating risks, encouraging cybersecurity and risk professionals to identify “all sources of uncertainty — both positive (opportunities) and negative (threats)” in their risk registers. For instance, launching a new online service provides an opportunity for a company to innovate and improve its revenues. Thus, the leadership team may direct the organization to take a little more risk. This way, senior leaders can set the risk appetite and tolerance with threats and opportunities in mind. When cybersecurity opportunities are included in a risk register, NIST recommends updating the risk response column using one of the following response types and describes the meaning of each: Realize: Eliminate uncertainty to make sure the opportunity is actualized Share: Allocate ownership to another party that is better able to capture the opportunity Enhance: Increase the probability and positive impact of an opportunity Accept: Take advantage of an opportunity if it happens to present itself NIST said the comment field of the risk register should be updated to include information “pertinent to the opportunity and to the residual risk uncertainty of not realizing the opportunity.” Additionally, each risk filed into a risk register should, at a minimum, contain the following information: A description of the risk The impact to the business if the risk should occur (e.g., costs), The probability of its occurrence The risk owner(s) How it ranks overall relative to all other risks The risk response. NIST noted that companies can add more data fields as they see fit, but each risk register should evolve as changes in current and future risks occur. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 31 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 How to Maintain a Risk Register When you maintain detailed cybersecurity risk information in your risk register, you’re able to manage your cyber risks in a more strategic way, focus on the right areas given limited resources, and secure additional resources because your leadership team will start to understand the value of preventative security. Here are the key benefits of putting cyber security risks into a risk register: 1. Once information is entered into a risk register, you can start to identify patterns from threats and system failures that result in adverse impacts. 2. By committing to using a risk register, you have to go through a process of gathering all relevant parties and agreeing on a common scale for measuring risks across various business units (e.g., making sure everyone knows when to use a “high-risk exposure” vs. a “moderate risk exposure”). By normalizing the tracking of risk information across different units, you will provide senior leaders with more relevant information that will help them prioritize risk response activities. 3. Company leaders will have greater confidence in the risk response choices they make because the responses will be informed by the right context, including detailed risk information, enterprise objectives, and budgetary guidance. 4. A risk register forces risk owners to write down accurate risk responses for risks they “own”. To do so, risk owners will need to verify whether risks are mitigated to the extent they believe they’d done: Check whether certain policies are up-to-date and whether existing controls intended to mitigate threats are working as designed. Risk owners will talk to their compliance team or internal audit team to understand where risk management activities and compliance activities already intersect. These steps are important because they ultimately help decision-makers understand their potential exposure for achieving strategic operations, reporting, and compliance objectives. 5. Maintaining a risk register makes it possible to produce enterprise-level risk disclosures for required filings and hearings or for formal reports as required, should your organization experience a significant incident. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 32 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 What Data Should Go into a Risk Register? At a minimum, each risk filed into a risk register should contain a description of the risk, the impact to the business if the risk should occur (e.g., costs), the probability of its occurrence, the risk owner(s), how it ranks overall relative to all other risks, and the risk response. NIST noted that companies can add more data fields as they see fit, but each risk register should evolve as changes in current and future risks occur. Here’s exactly what NIST provided in its document “Integrating Cybersecurity and Enterprise Risk Management”. Register Element Description ID (risk identifier) A sequential numeric identifier for referring to risk in the risk register A relative indicator of the criticality of this entry in the risk register, either Priority expressed in ordinal value (e.g., 1, 2, 3) or in reference to a given scale (e.g., high, moderate, low) A brief explanation of the cybersecurity risk scenario (potentially) impacting Risk description the organization and enterprise. Risk descriptions are often written in a cause- and-effect format, such as “if X occurs, then Y happens” Current An estimation of the probability, before any risk response, that this scenario Assessment – will occur. The first iteration of the risk cycle may also be considered the Likelihood initial assessment. Current Analysis of the potential benefits or consequences that might result from this Assessment — scenario if no additional response is provided. The first iteration of the risk impact cycle may also be considered the initial assessment. A calculation of the probability of risk exposure based on the likelihood Current estimate and the determined benefits or consequences of the risk. Other Assessment – common frameworks use different terms for this combination, such as level of Exposure Rating risk (e.g., ISO 31000, NIST SP 800-300 Rev. 1). The first iteration of the risk cycle may also be considered the initial assessment. Risk Response The risk response (sometimes referred to as the risk treatment) for handling Type the identified risk. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 33 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 A brief description of the risk response. For example, “Implement software management application XYZ to ensure that software platforms and Risk Response applications are inventoried,” or “Develop and implement a process to ensure Description the timely receipt of threat intelligence from [name of specific information sharing forums and sources.] The designated party is responsible and accountable for ensuring that the risk is maintained in accordance with enterprise requirements. The Risk Owner Risk Owner may work with a designated Risk Manager who is responsible for managing and monitoring the selected risk response Status A field for tracking the current condition of the risk. Risk Response Types Type Description Accept cybersecurity risk within risk tolerance levels. No additional risk response action is Accept needed except for monitoring. For cybersecurity risks that fall outside of tolerance levels, reduce them to an acceptable level by sharing a portion of the consequences with another party (e.g., cybersecurity Transfer insurance). While some of the financial consequences may be transferable, there are often consequences that cannot be transferred, like loss of customer trust. Apply actions that reduce the threats, vulnerabilities, and impacts of a given risk to an acceptable level. Responses could include those that help prevent a loss (i.e., reducing the Mitigate probability of occurrence or the likelihood that a threat event materializes or succeeds) or that help limit such a loss by decreasing the amount of damage and liability. Apply responses to ensure that the risk does not occur. Avoiding risk may be the best option if there is not a cost-effective method for reducing the cybersecurity risk to an acceptable Avoid level. The cost of the lost opportunity associated with such a decision should be considered as well. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 34 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Create a Risk Assessment Schedule & Checklists. Using a cyber security risk assessment checklist can help you understand your risks and strategically enhance your procedures, processes and technologies to reduce the chances of financial loss. This document explains the key elements of an effective checklist. Checklist: Essential Elements of a Security Risk Assessment Here are the core elements of an effective IT risk assessment checklist that will help you ensure you do not overlook critical details. 1. Asset Identification and Classification First, create a complete inventory of all valuable assets across the organization that could be threatened, resulting in monetary loss. Here are a few examples: Servers and other hardware Client contact information Partner documents, trade secrets and intellectual property Credentials and encryption keys Sensitive and regulated content like credit card data and medical information Then, label each asset or group of assets according to its level of sensitivity, as determined by your data classification policy. Classifying assets not only helps with risk assessment but will also guide you in implementing cybersecurity tools and processes to protect assets appropriately. Strategies for collecting information about your assets and their value include: Interviewing management, data owners and other employees Analyzing your data and IT infrastructure Reviewing documentation 2. Threat Identification A threat is anything that could cause harm to your assets. Here are some common threats: System failure Natural disasters Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 35 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Human errors, such as a user accidentally deleting valuable data Malicious human actions, such as data theft or encryption by ransomware For each asset in your inventory, make a thorough list of the threats that could damage it. 3. Vulnerability Assessment The next question to ask yourself is: "If a given threat becomes reality, could it damage any assets?” Answering this question requires understanding vulnerabilities. A vulnerability is a weakness that could allow threats to cause harm to an asset. Document the tools and processes currently protecting your key assets and look for remaining vulnerabilities, such as: Old or unmaintained equipment or devices Excessive access permissions Unapproved, outdated or unpatched software Untrained or careless users, including third parties like contractors 4. Impact Analysis Next, detail the impacts that the organization would suffer if a given asset were damaged. These impacts include anything that could result in financial losses, such as: System or application downtime Data loss Legal consequences Compliance penalties Damage to business reputation and customer churn Physical damage to devices and property 5. Risk Scoring Risk is the potential that a threat will exploit a vulnerability and cause harm to one or more assets, leading to monetary loss. Although risk assessment is about logical constructs, not numbers, it is useful to represent it as a formula: Risk = Asset x Threat x Vulnerability Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 36 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Assess each risk according to this formula and assign it a value of high, moderate or low. Remember that anything times zero is zero. For example, even if threat and vulnerability levels are high, if an asset is worth no money to you, your risk of losing money measures out to zero. For every high and moderate risk, detail the probable financial impact, and propose a solution and estimate its cost. Using the data collected in the preceding steps, create a risk management plan. Here are some sample entries: 6. Security Control Strategy Using your risk management plan, you can develop a broader plan for implementing security controls to mitigate risk. These security controls could include: Instituting stronger password policies and multifactor authentication (MFA) Using firewalls, encryption and obfuscation to secure your networks and data Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 37 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Deploying user activity monitoring, change management and file integrity monitoring (FIM) Conducting regular training for all employees and contractors Rank potential controls based on their impact and create a strategy for mitigating your most critical risks. Be sure to get management sign-off. 7. Compliance Assessment Assessing your compliance with applicable regulations and standards is essential to mitigating the risk of financial loss. For example, every organization that handles the data of EU residents must comply with the GDPR or risk steep fines. Accordingly, as part of your security risk assessments, be sure to identify which regulations and standards your organization is subject to and what risks could endanger your compliance. 8. Incident Response Plan Organizations need incident response plans to contain and mitigate the damage from threats that become realized. To help ensure prompt and effective response to incidents, your plan should include elements such as: Key actors and other stakeholders, and their roles & responsibilities Communication strategies, both internal and external IT and security system blueprints Automated response actions for expected threats, such as locking offending accounts With a clear and robust incident response plan, teams can swing into action and prevent a minor incident from snowballing into a catastrophe. 9. Recovery Plan A recovery plan should help guide a quick restoration of the most important systems and data in the event of disaster. Recovery plans are built on four key pillars: A prioritized inventory of data and systems An understanding of dependencies Backup and recovery tools and procedures Regular testing of the recovery process Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 38 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 10. Ongoing Risk Mitigation When a disaster hits, it’s vital to first address the situation at hand. But it’s also essential to analyze what happened and why and to carefully review your response and recovery efforts. With that information, you can take steps to prevent similar incidents in the future or reduce their consequences. For example, suppose you suffered a server failure. One you have it running again, analyze why the server failed. If it overheated due to low-quality hardware, you might ask management to buy better servers and implement additional monitoring to shut servers down in a controlled way when they show signs of overheating. In addition, review your response and recovery actions to see if there are ways to restore failed servers more quickly or efficiently, and update your plans accordingly. 11. Documenting and Reporting All security and risk assessments require thorough documentation. Documentation can take many forms but must be applied to every step of the risk assessment process, detailing all decisions and outcomes. Meticulous documentation offers multiple benefits. It helps you refine your strategies and identify additional vulnerabilities. It’s also important from a communication standpoint, enabling you to share information with all stakeholders. And strict record-keeping helps ensure accountability for everyone responsible for mitigating risk. 12. Risk Communication It’s crucial to help users, management and other stakeholders understand risks to vital company assets and how they can help mitigate those risks. The communication strategy can be formal or informal. For example, structured documentation and regular reminders can be an effective way to educate users about phishing in order to reduce the risk of costly malware infections. But less critical risks could be communicated informally by managers to their teams. 13. Security Training and Awareness Training is essential to creating a culture of awareness and safety. Training should be prioritized based on risk severity. The level of severity will also affect the metrics used to measure training effectiveness and verify training completion. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 39 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 For example, phishing email awareness might be assigned a risk level of high in an organization, so in-depth universal training might be mandated, with verification by management. Lower-level risks may have training on a case-by-case basis or only held to a certain percentage of competence. Create Risk Reporting Metrics and Responses. Metrics are tools to facilitate decision-making and improve performance and accountability. A cybersecurity metric contains the number of reported incidents, any fluctuations in these numbers as well as the identification time and cost of an attack. Thus, it provides stats that can be used to ensure the security of the current application. Organizations get the overall view of threats in terms of time, severity, and number. It is important today when this data keeps fluctuating. This way the organizations can maximize protection from threats in the future. Cybersecurity metric is the optimal way to monitor applications for cybersecurity. Use of a Cybersecurity Metric: A Cybersecurity metric assists the organization in the following ways: It facilitates decision-making and improves overall performance and accountability. It helps in setting quantifiable measures based on objective data in the metric. It helps in making corrections in an efficient way. It brings together all the factors like finance, regulation, and organization to measure security. It maintains the log of every individual system that has been tested over the years. Some Cybersecurity Metrics: Here is a list of some important cybersecurity metrics that portray the current threat scenario really well. A number of systems have vulnerabilities: A very important cybersecurity metric is to know where your assets lag. This helps in determining risks along with the improvements that must be taken. This way the vulnerabilities can be worked upon before anyone exploits them. Mean detection and response time: The sooner a cybersecurity breach is detected and responded to, the lesser will be the loss. It is important to have systems that reduce the mean detection and response time. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 40 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Data volume over a corporate network: Employees having unrestricted access to the company’s internet may turn out into a disaster. If they use the company’s resources to download anything, it might lead to the invasion of malware. Incorrectly configured SSL certificates: Company’s digital identity can be used to extract critical information if proper authentication measures are not in place. Thus, it is important to keep track of SSL certificates that are not correctly configured. Deactivation time of credentials of a former employee: The employees no longer a part of the organization must not be given access to the company’s resources. Moreover, their previous rights must be immediately terminated otherwise sensitive information might be put at risk. The number of users having higher access levels: There are individuals that have a wider range of data access as compared to others. However, this all must be efficiently monitored by the company. Also, unnecessary access should be minimized. Open communication ports during a time period: Communication occurs both ways. The ports for inbound and outbound traffic must be individually monitored. NetBIOS must be avoided in inbound traffic and SSL should be rightly monitored in outbound traffic. Also, ports that allow protocols for remote sessions must be monitored for a period of time. Access to systems by third parties: Some systems of a company are more critical to others. For the critical ones, proper mapping of third parties using them should be monitored. Review of frequency of third-party access: Third parties might have to access the network of a company to complete any project or activity. Thus, monitoring their access is important to identify any suspicious activity that might be undergoing at their end. Partners with effective cybersecurity: A company may have full control over its cybersecurity policies but you never know if the other business partners are as conscious as you. Thus, the higher the number of partners with strict cybersecurity policies, the lesser the chances of cyberattacks. Why we use a Metric? Here is a list of the main three reasons that validate the advantage of using metrics. For learning: To figure out different information pertaining to a system, we have to start by asking questions. These questions will lead us to answers and then in turn to information. This becomes easier with the help of a metric and thus the understanding of cybersecurity risks improves. For Decision Making: When we use a metric to gain information about a system, we can extend its use even further by gaining insight into previous decisions. This way, we can better manage the decisions that have to be taken with respect to current cybersecurity risks. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 41 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 For Implementation of Plans: After analyzing the loopholes in the system and making decisions on how to go about rectifying them, it is time to take action. This implementation can be supported further by referring to previous records and assessments in the cybersecurity metric. Metric: Good or Bad? A good metric is: Definable Comprehensive Has room for comparison With that being said, it is also important to not waste time over things that are ever fluctuating or those that never change for that matter. Here are a few examples of a good and a bad metric: Sl. No. Good Metric Bad Metric 01. Percentage of AV/EPP events. Frequency of security issues. 02. Cost of event control. Frequency of closed risks. 03. Malware instances. Closed security tickets. 04. Re-returning vulnerabilities. Log management. 05. CIS score per head. AV detection. Challenges with a Cybersecurity Metric: It tracks the activity but does not say anything about outcomes. This is a major limitation because the outcome adds more value. The metric provides a simple dashboard having the security status of a company. However, in the process, it reveals key information about how prepared the organization is. There exists a huge communication gap between the security function and the people that they report to. Thus, the metric becomes incomprehensible for management. The ideas that metric gives are not hard-wired. They might change and thus, viewing a metric as an exact science might not do any good to an organization. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 42 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 43 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Identify risks and risk appetite- Working with top management and drawing on internal and external resources, the chief risk and information security officers create a list of critical assets, known risks, and potential new risks. In conjunction with this effort, top management and the board establish the organization’s appetite for the risks that have been identified. An assessment is also made in this phase of existing controls and vulnerabilities. The risk appetite will vary according to the value to the organization of the threatened asset. A leaked internal newsletter, for example, is less likely to pose a Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 44 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 serious threat than the exposure of customer credit-card data. The chief measure of cyber-resilience is the security of the organization’s most valuable assets. The prioritization of identified risks is therefore a task of utmost importance, which is why top management must be involved. Analysis and evaluation. - Once the risks and threats have been identified, internal and external experts need to evaluate each risk with regard to likelihood of occurrence and potential impact, including, as applicable, regulatory, reputational, operational, and financial impact. Based on this assessment, the risk function or risk owners can prioritize areas for mitigation, starting with the most likely scenarios that will have the biggest negative impact (top right-hand area of the map, marked in dark blue in the exhibit). Treatment. - Once risks have been identified and prioritized according to likelihood and impact, the risk owners and the risk function should work together to create an overview of all initiatives undertaken to mitigate the top cyber risks. The initiatives should be evaluated on their effectiveness in reducing the probability of a risk event occurring and the impact of an event that does occur. Taking into account the effects of the mitigating initiatives, risk experts determine whether the residual risk for each top risk now falls within the parameters of the organization’s risk appetite. Should the residual risk level exceed these considered limits, additional mitigation initiatives can then be developed and deployed. Monitoring. - Among the most important instruments for fostering discipline throughout the organization are scheduled status updates to senior management on top cyber risks, treatment strategy, and remediation. Over time, the indicators and criteria used in such updates will become the basic language in the organization’s conversations about risk. The updates should be well written, concise, and free of mysterious acronyms and specialized jargon. For the board, a single well-composed page of text should suffice. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 45 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Focused Risk Mitigation- Cyber risk managers in large organizations are often swamped with information on threats that exceeds their capacity to respond appropriately. Fortunately, not all the alerts are warranted. For example, most organizations are little threatened by a so-called advanced persistent attack. The low probability should become visible in risk analysis, freeing organizations from devoting resources to the highly sophisticated defenses needed to protect against such attacks. Instead, they will be able to focus on creating countermeasures for common kinds of attacks—such as, for example, a distributed denial of service induced by malware or malicious overload. The optimal strategy will include controls to prevent collateral damage and investment in state-of-the-art safeguards to ensure business continuity in case of an attack. The goal for cyber risk managers is an efficient, adaptive, and sustainable regime. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 46 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 To attain it, fact-based prioritization is of great importance. Accurate risk sizing is dependent on a few basic inputs: a business perspective of the institution’s key assets and the top risks that could affect them realistic updated assessments of relevant threats and threat actors, formulated in detail as appropriate a consistent and accurate definition of risk appetite for the organization as a whole, prioritized and revised as appropriate With an approach based on these factors, executives can give clear guidance on cyber risk to all levels of the organization. The overall strategy includes a well-prioritized risk profile, efficiently focused on reducing disruption or slowdowns. For example, employee-related controls would be tailored by role—controls to avoid data leakage would apply only to those with access to key assets, rather than to all. Holistic cyber risk reporting When risk managers set out to implement holistic cyber risk reporting, they are often surprised by how little they know about their organization. Many organizations have no reliable inventory of databases, applications, devices, people, buildings, third parties, and access rights. At many companies, vulnerable critical assets are managed locally, invisible to cyber risk managers at company headquarters. At one financial-services firm, as many as 50 copies of the same data were being held, including for highly sensitive customer information. While some of the copies were well protected with state-of-the-art controls, others floated around and were frequently transferred using unencrypted email and even employees’ personal thumb drives. Although strict controls had been defined, business units granted exceptions from the rules in a parallel process that was not aligned with the overall digital risk-management regime. This double standard was a major source of uncontrolled risk for the whole organization. At a large manufacturer, critical industrial-production environments were connected to the internet through unregistered interfaces. These had been installed by third-party providers for remote maintenance. In effect, they exposed the entire production environment to cyberattacks. The scope of such attacks has lately extended beyond IT systems to operational technology (OT). OT systems include industrial control systems and Internet of Things devices, from refrigeration units to pacemakers. Such equipment is often more vulnerable than IT systems because OT security standards are less developed. The lesson from the experience of OT vulnerability is that all critical assets must be part of the cybersecurity strategy. The strategy must cover the entire value chain, minimizing the blind spots of an organization’s risk assessment. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 47 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 Analyze And Understand Common External Laws, Regulations, Standards & Best Practices Applicable to The Cyber Security Organization What is cybersecurity compliance? Cybersecurity compliance is the practice of conforming to established standards, regulations, and laws to protect digital information and systems from cybersecurity threats. By implementing specific policies, procedures, and controls, organizations meet the requirements set by various governing bodies. This enables these organizations to demonstrate their commitment to cybersecurity best practices and legal mandates. Consider the construction of a house. Just as architects and builders follow blueprints and building codes to ensure the house is safe, sturdy, and functional, cybersecurity compliance serves as the “blueprint” for organizations in the digital world. These guidelines and standards ensure that the organization’s digital “structure” is secure, resilient, and trustworthy. By adhering to these blueprints, organizations not only protect their assets but also create a foundation of trust with their stakeholders, much like a well-built house stands strong and provides shelter for its inhabitants. Why is cybersecurity compliance important? At its core, the importance of cybersecurity compliance can be distilled into one critical aspect: the financial well-being of an organization. Typically, when we list the benefits of cybersecurity compliance, we are forced to use imprecise ideas like “enhanced trust” or “reputational safeguarding,” but the common thread connecting all these benefits is the tangible and direct impact on an organization’s bottom line. In this case, it is easier to understand the benefits of cybersecurity compliance by instead looking at the consequences of non-compliance. 1. Direct financial penalties: Regulatory bodies can impose substantial fines on organizations that neglect cybersecurity standards. According to the IBM Cost of a Data Breach Report 2023, the average company can expect to pay approximately $40,000 USD in fines due to a data breach. The emphasis of this figure is that it is the average. A black swan event can lead to a significantly different outcome. A prime example of this is the TJX Companies data breach in 2006. TJX faced a staggering fine of $40.9 million after the exposure of credit card information of more than 45 million customers for non-compliance with PCI DSS standards. 2. Operational disruptions: Incidents like ransomware attacks can halt operations, leading to significant revenue loss. 3. Loss of customer trust: A single data breach can result in a mass exodus of clientele, leading to decreased revenue. Ms. Raima Saha Assistant Prof. (CST) Brainware University, Kolkata pg. 48 Bachelor Of Science (Honours) in Advance Networking & Cyber Security Semester 3 Information Security Management (BNC30109) Batch 2023 4. Reputational damage: The long-term financial effects of a tarnished reputation can be devastating, from stock price drops to reduced market share. 5. Legal fees: Lawsuits from affected parties can result in additional financial burdens. 6. Recovery costs: Addressing a cyber incident, from forensic investigations to public relations efforts, can be expensive. 7. Missed opportunities: Non-compliance can lead to lost contracts and business opportunities, especially with entities that mandate cybersecurity standards. An overview of cybersecurity laws and legislation This section will give a high-level overview of cybersecurity laws, standards and the governing bodies that exert their influence on these laws and standards. Government agencies that influence cybersecurity regulations: - Navigating the complex terrain of cybersecurity regulations in the United States is to understanding a vast network of interlinked agencies, each with its own charter to protect various facets of the nation’s digital and physical infrastructure. This ecosystem is a tapestry woven with the threads of policy, enforcement, and standardization, where agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Department of Defense (DoD) play pivotal roles in crafting the guidelines and directives that shape the nation’s defense against cyber threats. The White House and legislative bodies contribute to this web by issuing executive orders and laws that direct the course of cybersecurity policy, while international standards bodies such as the International Organization for Standardization (ISO) offer a global perspective on best practices. Together, these entities form a collaborative framework that influences the development, enforcement, and evolution of cybersecurity laws and standards, ensuring a unified approach to protecting the integrity, confidentiality, and availability of information systems and data. ❖ Cybersecurity and Infrastructure Security Agency (CISA) Branch of Department of Homeland Security (DHS) that oversees cybersecurity for critical infrastructure for the US federal government. Houses critical cybersecurity services, such as, National Cybersecurity and Communications Integration Centre (NCCIC), United States Computer Emergency Readiness Team (US-CERT), Ms. Raima Saha As

Information Security Management Study Material PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue