Cybersecurity 2 Unit 4 Handout PDF
Document Details
Uploaded by StreamlinedRationality1974
Philippine Military Academy
2020
Tags
Summary
This document is a handout on cybersecurity for a unit at the Philippine Military Academy. It covers topics such as data governance, cybersecurity policies, types of policies, and guiding principles for human resources.
Full Transcript
HEADQUARTERS ACADEMIC GROUP, PHILIPPINE MILITARY ACADEMY Department of Information Technology Fort General Gregorio H del Pilar, Baguio City...
HEADQUARTERS ACADEMIC GROUP, PHILIPPINE MILITARY ACADEMY Department of Information Technology Fort General Gregorio H del Pilar, Baguio City CYBERSECURITY 2 UNT 4 HANDOUT Governance IT security governance determines who is authorized to make decisions about cybersecurity risks within an organization. It demonstrates accountability and provides oversight to ensure that any risks are adequately mitigated and that security strategies are aligned with the organization’s business objectives and are compliant with regulations. Data governance in particular determines who is authorized to make decisions about data within an organization. Several key roles in good data governance programs: Data Owner: A person who ensures compliance with policies and procedures, assigns the proper classification to information assets, and determines the criteria for accessing information assets. Data Controller: A person who determines the purposes for which, and the way in which, personal data is processed. Data Processor: A person or organization who processes personal data on behalf of the data controller. Data Custodian: A person who implements the classification and security controls for the data in accordance with the rules set out by the data owner. In other words, data custodians are responsible for the technical control of the data. Data Steward: A person who ensures that data supports an organization’s business needs and meets regulatory requirements. Data Protection Officer: A person who oversees an organization’s data protection strategy. Cybersecurity Policies A cybersecurity policy is a high-level document that outlines an organization’s vision for cybersecurity, including its goals, needs, scope and responsibilities. Specifically, it: Demonstrates an organization’s commitment to security. Sets the standards of behavior and security requirements for carrying out activities, processes and operations, and protecting technology and information assets within an organization. Ensures that the acquisition, use and maintenance of system operations, software and hardware is consistent across the organization. Defines the legal consequences of policy violations. Gives the security team the support they need from senior management. Most Common Types of Cybersecurity Policies Master cybersecurity policy: The blueprint for an organization’s cybersecurity program, this policy serves as the strategic plan for implementing cybersecurity controls. System-specific policy: This type of policy is developed for specific devices or computer systems and aims to establish standardization for approved applications, software, operating system configurations, hardware and hardening countermeasures within an organization. Issue-specific policy: This type of policy is developed for certain operational issues, circumstances or conditions that may require more detailed requirements and directions. Types of Security Policies An organization needs to establish clear and detailed security policies that all employees are aware of. It is critical that these policies also have the support of the senior management team. Identification and authentication policy: Specifies who should be permitted access to network resources and what verification procedures are in place to facilitate this. Password Policy: Defines minimum password requirements, such as the number and type of characters used and how often they need to be changed. Acceptable Use Policy: Highlights a set of rules that determine access to and use of network resources. It may also define the consequences of policy violations. Remote Access Policy: Sets out how to remotely connect to an organization’s internal network and explains what information is remotely accessible. Network Maintenance Policy: Outlines procedures for updating an organization’s specified operating systems and end-user applications. Incident Handling Policy: Provides guidance on how to report and respond to security-related incidents within an organization. Data Policy: Sets out measurable rules for processing data within an organization, such as specifying where data is stored, how data is classified (high, medium, low, confidential, public or private), and how data is handled and disposed of. Credential Policy: Provides guidance for how work should be carried out in an organization. Examples might include change management, change control or asset management policies. Organizational Policy: Provides guidance for how work should be carried out in an organization. Examples might include change management, change control or asset management policies. Guiding Principles for Human Resources Central to an HR team’s cybersecurity governance responsibilities are seven guiding principles: Background Checks: Organizations often require background checks as part of their hiring process. This may involve a simple reference check or more rigorous procedures such as verifying educational credentials, employment history, the validity of criminal records or drug testing. Onboarding and Offboarding: Organizations need to have the right procedures in place to support new employees taking up positions. This includes making them aware of acceptable use, data handling and disposal policies as well as the repercussions of policy violations. Procedures also need to be in place to remove an employee’s access to equipment and data when they leave an organization. Clean Desk: Organizations often request a clean desk policy to ensure that neither personal identifiable information nor confidential information falls into the wrong hands. Clean desk policy messaging increases employee awareness of the importance of not leaving potentially sensitive documents on their desk. The ‘need to know’ principle: Employees in an organization are typically granted access to the data and information that they need in order to do their job. The U.S. government uses the ‘need to know’ principle in its access control models. Separation of Duties: This measure is often put in place to ensure that more than one employee is required to complete a particular task, effectively adding in extra checks and balances for security. This distribution of control limits the power of any single employee over critical processes and reduces the risk of a task being compromised. Mandatory Vacations: Most organizations will insist that employees take a minimum period of vacation every year, during which time another employee will cover their role. This helps an organization discover if any employees have been involved in long-term, malicious activities. Job Rotation Policies: Job rotation is a strategy where employees rotate between different job assignments in an organization. It is one of the most expensive security strategies because it requires multiple employees being able to perform the same tasks. However, it can give employees a real insight into organization operations. It can also help to reduce employee boredom and enhance employee skill levels. Critically, job rotation removes dependence on a single person who can become a single point of failure if they leave an organization and no one else knows how to do their job. This situation could put an organization at significant risk. Security Frameworks (https://www.youtube.com/watch?v=lo4xQ-kuv54) Security frameworks are a set of guidelines and best practices that can help organizations improve their security posture. They can help organizations understand the different security processes available and what they need to do to follow those processes. There are many different security frameworks available, and the best one for an organization will depend on its specific needs. Some of the most common security frameworks include: Center for Internet Security (CIS) Critical Security Controls (CSC): This framework is designed to help organizations improve the security posture of their organization. It is focused on 20 critical security controls in different areas. There are different recommendations depending on the size of the organization. National Institute of Standards and Technology (NIST) Risk Management Framework (RMF): This framework is required for United States federal government agencies. It has six steps to follow in the system lifecycle: categorize, select, implement, assess, authorize, and monitor. NIST Cybersecurity Framework (CSF): This framework is designed for commercial implementations. It has three major areas: the framework core, the framework implementation tiers, and the framework profile. International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) frameworks: These frameworks are international standards. Some of the most common ones are ISO IEC 27001 (information security management systems), ISO IEC 27002 (code of practice for information security controls), ISO IEC 27701 (privacy information management systems), and ISO 31000 (risk management). Statement on Standards for Attestation Engagements (SSAE) 18 / SOC 2: This is an auditing standard from the American Institute of Certified Public Accountants (AICPA). There are two types of audits: type 1 and type 2. A type 1 audit examines the controls in place at a particular date and time. A type 2 audit tests the controls over a period of at least six consecutive months. Cloud Controls Matrix (CCM): This framework is from the Cloud Security Alliance (CSA). It maps controls to standards, best practices, and regulations that you need to follow in the cloud. A more focused discussion on IS 27000 and NIST CSF: ISO 27000 (https://www.youtube.com/watch?v=x792wXSeAhA) ISO 27001 is an international standard that specifies the requirements for an information security management system (ISMS) ISMS An ISMS is a systematic approach consisting of people, processes, and technology that helps organizations protect and manage all their information. An ISMS that conforms to ISO 27001 can help organizations comply with various laws and regulations related to information security. Benefits of ISO 27001 Secure information in all forms (digital, paper-based, or cloud-stored) Increase attack resilience against cyber attacks Protect against various threats including poorly informed staff or ineffective procedures Adapt to evolving security threats Reduce costs associated with information security Protect the confidentiality, availability, and integrity of data Make security part of everyday business practices for employees ISO 27001 Controls There are 114 controls in ISO 27001 covering a wide range of information security areas, such as: Physical access control Firewall policies Security staff awareness programs Threat monitoring procedures Incident management processes Encryption Overview - NIST Cybersecurity Framework 2.0 (https://www.youtube.com/watch?v=f-6J7-WqcGE) The NIST CSF is a framework that helps organizations manage their cybersecurity risks and build resilience against evolving threats. Components of the NIST CSF A. Core: A set of cybersecurity outcomes that helps organizations understand what they need to do in their cybersecurity program. o It is written in plain language in a hierarchical structure with functions at the top level, breaking down into categories and subcategories. The CSF Core Functions — GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER — organize cybersecurity outcomes at their highest level. 1. GOVERN (GV) — The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. The GOVERN Function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategy. GOVERN addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy. 2. IDENTIFY (ID) — The organization’s current cybersecurity risks are understood. Understanding the organization’s assets (e.g., data, hardware, software, systems, facilities, services, people), suppliers, and related cybersecurity risks enables an organization to prioritize its efforts consistent with its risk management strategy and the mission needs identified under GOVERN. This Function also includes the identification of improvement opportunities for the organization’s policies, plans, processes, procedures, and practices that support cybersecurity risk management to inform efforts under all six Functions. 3. PROTECT (PR) — Safeguards to manage the organization’s cybersecurity risks are used. Once assets and risks are identified and prioritized, PROTECT supports the ability to secure those assets to prevent or lower the likelihood and impact of adverse cybersecurity events, as well as to increase the likelihood and impact of taking advantage of opportunities. Outcomes covered by this Function include identity management, authentication, and access control; awareness and training; data security; platform security (i.e., securing the hardware, software, and services of physical and virtual platforms); and the resilience of technology infrastructure. 4. DETECT (DE) — Possible cybersecurity attacks and compromises are found and analyzed. DETECT enables the timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse events that may indicate that cybersecurity attacks and incidents are occurring. This Function supports successful incident response and recovery activities. 5. RESPOND (RS) — Actions regarding a detected cybersecurity incident are taken. RESPOND supports the ability to contain the effects of cybersecurity incidents. Outcomes within this Function cover incident management, analysis, mitigation, reporting, and communication. 6. RECOVER (RC) — Assets and operations affected by a cybersecurity incident are restored. RECOVER supports the timely restoration of normal operations to reduce the effects of cybersecurity incidents and enable appropriate communication during recovery efforts. While many cybersecurity risk management activities focus on preventing negative events from occurring, they may also support taking advantage of positive opportunities. Actions to reduce cybersecurity risk might benefit an organization in other ways, like increasing revenue (e.g., first offering excess facility space to a commercial hosting provider for hosting their own and other organizations’ data centers, then moving a major financial system from the organization’s in- house data center to the hosting provider to reduce cybersecurity risks). B. Implementation Tiers: A tool for measuring how well an organization is managing its cybersecurity capabilities and therefore its cybersecurity risk. o The tiers are: ▪ Partial: This is a starting point for most businesses where risk management isn’t properly implemented and cybersecurity is not formalized. ▪ Risk Informed: There is a level of risk management here, however, these protocols are not standardized across the company. ▪ Repeatable: At this point, a formal and organized cybersecurity strategy is in place with refined policies and protocols. ▪ Adaptive: At the final tier, the company shows extensive cybersecurity awareness and implements thorough risk management strategies that are informed by threat intelligence. C. Profiles: A way to capture what an organization is doing as it relates to the CSF core. A CSF Organizational Profile describes an organization’s current and/or target cybersecurity posture in terms of the Core’s outcomes. Organizational Profiles are used to understand, tailor, assess, prioritize, and communicate the Core’s outcomes by considering an organization’s mission objectives, stakeholder expectations, threat landscape, and requirements. An organization can then prioritize its actions to achieve specific outcomes and communicate that information to stakeholders. Every Organizational Profile includes one or both of the following: 1. A Current Profile specifies the Core outcomes that an organization is currently achieving (or attempting to achieve) and characterizes how or to what extent each outcome is being achieved. 2. A Target Profile specifies the desired outcomes that an organization has selected and prioritized for achieving its cybersecurity risk management objectives. A Target Profile considers anticipated changes to the organization’s cybersecurity posture, such as new requirements, new technology adoption, and threat intelligence trends. A Community Profile is a baseline of CSF outcomes that is created and published to address shared interests and goals among a number of organizations. A Community Profile is typically developed for a particular sector, subsector, technology, threat type, or other use case. An organization can use a Community Profile as the basis for its own Target Profile. Benefits of using the NIST CSF The NIST CSF is a great tool for organizations of all sizes and industries, regardless of whether they are just starting their cybersecurity journey or looking to enhance existing practices. It provides a structured yet flexible approach that helps organizations figure out what they need to do when it comes to cybersecurity. It enables easier conversations at every level of an organization, from strategic discussions with the board to technical conversations with IT and security teams. The Age of Cyber Warfare: The Digital Battlefield (https://www.youtube.com/watch?v=yTvCnWJ9jic) Key Points: Technology is Reshaping Warfare: Technological advancements are fundamentally changing the way wars are fought. Cyber attacks are becoming increasingly common, blurring the lines between physical and virtual battlefields. Cyber Warfare Involves Disrupting Critical Infrastructure: A cyber attack can target a nation's critical infrastructure, such as power grids, transportation systems, and communication networks, causing widespread disruption and chaos. A New Era of Gray Zone Warfare: Cyber attacks often exist in a gray zone, making it difficult to attribute blame and leading to questions about international law. The Speed of Warfare is Accelerating: Cyber warfare happens much faster than traditional warfare, with attackers constantly developing new methods and defenders struggling to keep pace. The Future of Warfare is Multi-Domain: Future warfare will likely involve a combination of cyber attacks, kinetic attacks (physical attacks with weapons), and information warfare (manipulating information to achieve an advantage). REFERENCES: Cisco Networking Academy. (n.d.). Introduction to Cybersecurity 2.1. https://www.netacad.com/launch?id=dbfb6f9a-665f-472d-8e06- 936c72be1df5&tab=learning&assignment=d77ae095-4c63-45ea-a5dc- 599c26ab71a8&activeTab=assignmentdetails IT Governance Ltd. (2017, June 21). What is ISO 27001? | A Brief Summary of the Standard. https://www.youtube.com/watch?v=x792wXSeAhA Messer, Professor. (2020, March 23). Security Frameworks - SY0-601 CompTIA Security+ : 5.2. https://www.youtube.com/watch?v=lo4xQ-kuv54 Naked Science. (2022, October 18). The Age of Cyber Warfare: The Digital Battlefield | Future Warfare. https://www.youtube.com/watch?v=yTvCnWJ9jic Optic cyber. (2023, September 29). Overview - NIST Cybersecurity Framework 2.0 https://www.youtube.com/watch?v=f-6J7-WqcGE