Philippine Military Academy Cybersecurity Unit 4 Handout PDF

Summary

This document provides a handout on cybersecurity, covering topics such as governance, data governance, cybersecurity policies, and various types of security policies. It details roles, responsibilities, and principles within cybersecurity.

Full Transcript

HEADQUARTERS
ACADEMIC GROUP, PHILIPPINE MILITARY ACADEMY
Department of Information Technology
Fort General Gregorio H del Pilar, Baguio City

CYBERSECURITY 2 UNT 4 HANDOUT

Governance
IT security governance determines who is authorized to make decisions about cybersecurity risks within an
organization. It demonstrates accountability and provides oversight to ensure that any risks are adequately
mitigated and that security strategies are aligned with the organization’s business objectives and are compliant
with regulations.
Data governance in particular determines who is authorized to make decisions about data within an
organization.

Several key roles in good data governance programs:
Data Owner: A person who ensures compliance with policies and procedures, assigns the proper classification
to information assets, and determines the criteria for accessing information assets.
Data Controller: A person who determines the purposes for which, and the way in which, personal data is
processed.
Data Processor: A person or organization who processes personal data on behalf of the data controller.
Data Custodian: A person who implements the classification and security controls for the data in accordance
with the rules set out by the data owner. In other words, data custodians are responsible for the technical
control of the data.
Data Steward: A person who ensures that data supports an organization’s business needs and meets
regulatory requirements.
Data Protection Officer: A person who oversees an organization’s data protection strategy.

Cybersecurity Policies
A cybersecurity policy is a high-level document that outlines an organization’s vision for cybersecurity,
including its goals, needs, scope and responsibilities. Specifically, it:
Demonstrates an organization’s commitment to security.
Sets the standards of behavior and security requirements for carrying out activities, processes and
operations, and protecting technology and information assets within an organization.
Ensures that the acquisition, use and maintenance of system operations, software and hardware is
consistent across the organization.
Defines the legal consequences of policy violations.
Gives the security team the support they need from senior management.

Most Common Types of Cybersecurity Policies
Master cybersecurity policy: The blueprint for an organization’s cybersecurity program, this policy serves as
the strategic plan for implementing cybersecurity controls.
System-specific policy: This type of policy is developed for specific devices or computer systems and aims to
establish standardization for approved applications, software, operating system configurations, hardware and
hardening countermeasures within an organization.
Issue-specific policy: This type of policy is developed for certain operational issues, circumstances or
conditions that may require more detailed requirements and directions.

Types of Security Policies
An organization needs to establish clear and detailed security policies that all employees are aware of. It is
critical that these policies also have the support of the senior management team.
Identification and authentication policy: Specifies who should be permitted access to network resources
and what verification procedures are in place to facilitate this.
Password Policy: Defines minimum password requirements, such as the number and type of characters used
and how often they need to be changed.
Acceptable Use Policy: Highlights a set of rules that determine access to and use of network resources. It
may also define the consequences of policy violations.
Remote Access Policy: Sets out how to remotely connect to an organization’s internal network and explains
what information is remotely accessible.
Network Maintenance Policy: Outlines procedures for updating an organization’s specified operating systems
and end-user applications.
Incident Handling Policy: Provides guidance on how to report and respond to security-related incidents within
an organization.
Data Policy: Sets out measurable rules for processing data within an organization, such as specifying where
data is stored, how data is classified (high, medium, low, confidential, public or private), and how data is
handled and disposed of.
Credential Policy: Provides guidance for how work should be carried out in an organization. Examples might
include change management, change control or asset management policies.
Organizational Policy: Provides guidance for how work should be carried out in an organization. Examples
might include change management, change control or asset management policies.

Guiding Principles for Human Resources
Central to an HR team’s cybersecurity governance responsibilities are seven guiding principles:
Background Checks: Organizations often require background checks as part of their hiring process. This may
involve a simple reference check or more rigorous procedures such as verifying educational credentials,
employment history, the validity of criminal records or drug testing.
Onboarding and Offboarding: Organizations need to have the right procedures in place to support new
employees taking up positions. This includes making them aware of acceptable use, data handling and
disposal policies as well as the repercussions of policy violations.
Procedures also need to be in place to remove an employee’s access to equipment and data when they leave
an organization.
Clean Desk: Organizations often request a clean desk policy to ensure that neither personal identifiable
information nor confidential information falls into the wrong hands. Clean desk policy messaging increases
employee awareness of the importance of not leaving potentially sensitive documents on their desk.
The ‘need to know’ principle: Employees in an organization are typically granted access to the data and
information that they need in order to do their job. The U.S. government uses the ‘need to know’ principle in its
access control models.
Separation of Duties: This measure is often put in place to ensure that more than one employee is required to
complete a particular task, effectively adding in extra checks and balances for security. This distribution of
control limits the power of any single employee over critical processes and reduces the risk of a task being
compromised.
Mandatory Vacations: Most organizations will insist that employees take a minimum period of vacation every
year, during which time another employee will cover their role. This helps an organization discover if any
employees have been involved in long-term, malicious activities.
Job Rotation Policies: Job rotation is a strategy where employees rotate between different job assignments
in an organization. It is one of the most expensive security strategies because it requires multiple employees
being able to perform the same tasks.
However, it can give employees a real insight into organization operations. It can also help to reduce employee
boredom and enhance employee skill levels. Critically, job rotation removes dependence on a single person
who can become a single point of failure if they leave an organization and no one else knows how to do their
job. This situation could put an organization at significant risk.
Security Frameworks (https://www.youtube.com/watch?v=lo4xQ-kuv54)

Security frameworks are a set of guidelines and best practices that can help organizations improve their
security posture. They can help organizations understand the different security processes available and what
they need to do to follow those processes. There are many different security frameworks available, and the
best one for an organization will depend on its specific needs.

Some of the most common security frameworks include:

Center for Internet Security (CIS) Critical Security Controls (CSC): This framework is designed to help
organizations improve the security posture of their organization. It is focused on 20 critical security controls in
different areas. There are different recommendations depending on the size of the organization.

National Institute of Standards and Technology (NIST) Risk Management Framework (RMF): This
framework is required for United States federal government agencies. It has six steps to follow in the system
lifecycle: categorize, select, implement, assess, authorize, and monitor.

NIST Cybersecurity Framework (CSF): This framework is designed for commercial implementations. It has
three major areas: the framework core, the framework implementation tiers, and the framework profile.

International Organization for Standardization (ISO) and International Electrotechnical Commission
(IEC) frameworks: These frameworks are international standards. Some of the most common ones are ISO
IEC 27001 (information security management systems), ISO IEC 27002 (code of practice for information
security controls), ISO IEC 27701 (privacy information management systems), and ISO 31000 (risk
management).

Statement on Standards for Attestation Engagements (SSAE) 18 / SOC 2: This is an auditing standard
from the American Institute of Certified Public Accountants (AICPA). There are two types of audits: type 1 and
type 2. A type 1 audit examines the controls in place at a particular date and time. A type 2 audit tests the
controls over a period of at least six consecutive months.
Cloud Controls Matrix (CCM): This framework is from the Cloud Security Alliance (CSA). It maps controls to
standards, best practices, and regulations that you need to follow in the cloud.

A more focused discussion on IS 27000 and NIST CSF:

ISO 27000 (https://www.youtube.com/watch?v=x792wXSeAhA)
ISO 27001 is an international standard that specifies the requirements for an information security management
system (ISMS)

ISMS

An ISMS is a systematic approach consisting of people, processes, and technology that helps
organizations protect and manage all their information.
An ISMS that conforms to ISO 27001 can help organizations comply with various laws and regulations
related to information security.

Benefits of ISO 27001

Secure information in all forms (digital, paper-based, or cloud-stored)
Increase attack resilience against cyber attacks
Protect against various threats including poorly informed staff or ineffective procedures
Adapt to evolving security threats
Reduce costs associated with information security
Protect the confidentiality, availability, and integrity of data
Make security part of everyday business practices for employees

ISO 27001 Controls

There are 114 controls in ISO 27001 covering a wide range of information security areas, such as:
Physical access control
Firewall policies
Security staff awareness programs
Threat monitoring procedures
Incident management processes
Encryption

Overview - NIST Cybersecurity Framework 2.0 (https://www.youtube.com/watch?v=f-6J7-WqcGE)
The NIST CSF is a framework that helps organizations manage their cybersecurity risks and build
resilience against evolving threats.

Components of the NIST CSF
A. Core: A set of cybersecurity outcomes that helps organizations understand what they need to do in
their cybersecurity program.
o It is written in plain language in a hierarchical structure with functions at the top level, breaking
down into categories and subcategories.
The CSF Core Functions — GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER —
organize cybersecurity outcomes at their highest level.

1. GOVERN (GV) — The organization’s cybersecurity risk management strategy, expectations,
and policy are established, communicated, and monitored. The GOVERN Function provides
outcomes to inform what an organization may do to achieve and prioritize the outcomes of the
other five Functions in the context of its mission and stakeholder expectations. Governance
activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk
management (ERM) strategy. GOVERN addresses an understanding of organizational context;
 the establishment of cybersecurity strategy and cybersecurity supply chain risk management;
roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.
2. IDENTIFY (ID) — The organization’s current cybersecurity risks are understood. Understanding
the organization’s assets (e.g., data, hardware, software, systems, facilities, services, people),
suppliers, and related cybersecurity risks enables an organization to prioritize its efforts
consistent with its risk management strategy and the mission needs identified under GOVERN.
This Function also includes the identification of
improvement opportunities for the organization’s policies, plans, processes, procedures, and
practices that support cybersecurity risk management to inform efforts under all six Functions.
3. PROTECT (PR) — Safeguards to manage the organization’s cybersecurity risks are used. Once
assets and risks are identified and prioritized, PROTECT supports the ability to secure those
assets to prevent or lower the likelihood and impact of adverse cybersecurity events, as well as
to increase the likelihood and impact of taking advantage of opportunities. Outcomes covered
by this Function include identity management, authentication, and access control; awareness
and training; data security; platform security (i.e., securing the hardware, software, and services
of physical and virtual platforms); and the resilience of technology infrastructure.
4. DETECT (DE) — Possible cybersecurity attacks and compromises are found and analyzed.
DETECT enables the timely discovery and analysis of anomalies, indicators of compromise, and
other potentially adverse events that may indicate that cybersecurity attacks and incidents are
occurring. This Function supports successful incident response and recovery activities.
5. RESPOND (RS) — Actions regarding a detected cybersecurity incident are taken. RESPOND
supports the ability to contain the effects of cybersecurity incidents. Outcomes within this
Function cover incident management, analysis, mitigation, reporting, and communication.
6. RECOVER (RC) — Assets and operations affected by a cybersecurity incident are restored.
RECOVER supports the timely restoration of normal operations to reduce the effects of
cybersecurity incidents and enable appropriate communication during recovery efforts. While
many cybersecurity risk management activities focus on preventing negative events from
occurring, they may also support taking advantage of positive opportunities. Actions to reduce
cybersecurity risk might benefit an organization in other ways, like increasing revenue (e.g., first
offering excess facility space to a commercial hosting provider for hosting their own and other
organizations’ data centers, then moving a major financial system from the organization’s in-
house data center to the hosting provider to reduce cybersecurity risks).

B. Implementation Tiers: A tool for measuring how well an organization is managing its cybersecurity
capabilities and therefore its cybersecurity risk.

o The tiers are:
▪ Partial: This is a starting point for most businesses where risk management isn’t
properly implemented and cybersecurity is not formalized.
▪ Risk Informed: There is a level of risk management here, however, these protocols are
not standardized across the company.
▪ Repeatable: At this point, a formal and organized cybersecurity strategy is in place with
refined policies and protocols.
▪ Adaptive: At the final tier, the company shows extensive cybersecurity awareness and
implements thorough risk management strategies that are informed by threat
intelligence.

C. Profiles: A way to capture what an organization is doing as it relates to the CSF core.
 A CSF Organizational Profile describes an organization’s current and/or target cybersecurity posture
in terms of the Core’s outcomes. Organizational Profiles are used to understand, tailor, assess,
prioritize, and communicate the Core’s outcomes by considering an organization’s mission objectives,
stakeholder expectations, threat landscape, and requirements. An organization can then prioritize its
actions to achieve specific outcomes and communicate that information to stakeholders.

Every Organizational Profile includes one or both of the following:
1. A Current Profile specifies the Core outcomes that an organization is currently achieving (or
attempting to achieve) and characterizes how or to what extent each outcome is being achieved.
2. A Target Profile specifies the desired outcomes that an organization has selected and prioritized for
achieving its cybersecurity risk management objectives. A Target Profile considers anticipated
changes to the organization’s cybersecurity posture, such as new requirements, new technology
adoption, and threat intelligence trends.
A Community Profile is a baseline of CSF outcomes that is created and published to address shared
interests and goals among a number of organizations. A Community Profile is typically developed for a
particular sector, subsector, technology, threat type, or other use case. An organization can use a
Community Profile as the basis for its own Target Profile.

Benefits of using the NIST CSF

The NIST CSF is a great tool for organizations of all sizes and industries, regardless of whether they
are just starting their cybersecurity journey or looking to enhance existing practices.
It provides a structured yet flexible approach that helps organizations figure out what they need to do
when it comes to cybersecurity.
It enables easier conversations at every level of an organization, from strategic discussions with the
board to technical conversations with IT and security teams.

The Age of Cyber Warfare: The Digital Battlefield (https://www.youtube.com/watch?v=yTvCnWJ9jic)

Key Points:

Technology is Reshaping Warfare: Technological advancements are fundamentally changing the
way wars are fought. Cyber attacks are becoming increasingly common, blurring the lines between
physical and virtual battlefields.
Cyber Warfare Involves Disrupting Critical Infrastructure: A cyber attack can target a nation's
critical infrastructure, such as power grids, transportation systems, and communication networks,
causing widespread disruption and chaos.
A New Era of Gray Zone Warfare: Cyber attacks often exist in a gray zone, making it difficult to
attribute blame and leading to questions about international law.
The Speed of Warfare is Accelerating: Cyber warfare happens much faster than traditional warfare,
with attackers constantly developing new methods and defenders struggling to keep pace.
The Future of Warfare is Multi-Domain: Future warfare will likely involve a combination of cyber
attacks, kinetic attacks (physical attacks with weapons), and information warfare (manipulating
information to achieve an advantage).

REFERENCES:
Cisco Networking Academy. (n.d.). Introduction to Cybersecurity 2.1.
https://www.netacad.com/launch?id=dbfb6f9a-665f-472d-8e06-
936c72be1df5&tab=learning&assignment=d77ae095-4c63-45ea-a5dc-
599c26ab71a8&activeTab=assignmentdetails

IT Governance Ltd. (2017, June 21). What is ISO 27001? | A Brief Summary of the Standard.
https://www.youtube.com/watch?v=x792wXSeAhA

Messer, Professor. (2020, March 23). Security Frameworks - SY0-601 CompTIA Security+ : 5.2.
https://www.youtube.com/watch?v=lo4xQ-kuv54

Naked Science. (2022, October 18). The Age of Cyber Warfare: The Digital Battlefield | Future Warfare.
https://www.youtube.com/watch?v=yTvCnWJ9jic

Optic cyber. (2023, September 29). Overview - NIST Cybersecurity Framework 2.0
https://www.youtube.com/watch?v=f-6J7-WqcGE