Task 1 - Discuss risk assessment procedures P5...2I.Define a security risk and how to do risk assessment...2II.Define assets, threats and threat identification procedures, and give examp
Discuss risk assessment procedures (P5)
Define a security risk and how to do risk assessment
The possibility that a certain threat will be realized against a specific vulnerability is referred to as security risk Most risks result in potential damage or unfavorable outcomes that could harm your firm Not all risks are inherently harmful; in fact, certain risks can result in favorable outcomes The amount of risk is determined by the extent of damage (or even good benefit) caused by a threat.
2 How to do risk assessment
Two Approaches to Risk Assessment: Quantitative and Qualitative
Qualitative risk assessment—Qualitative risk assessment ranks risks based on their probability of occurrence and impact on business operations Impact is the degree of effect a realized threat would pose Impact is often expressed from low (insignificant) to high (catastrophic) values Qualitative risk assessments can be fairly subjective, but they do help determine the most critical risks This type of assessment requires diverse input from people who work in different departments and encourages the use of relative terms For example, a qualitative assessment asks which risks are worse than others This allows the business units and technical experts to understand the ripple effects of an event on other departments or operations.
Quantitative risk assessment—This type of risk assessment attempts to describe risk in financial terms and put a dollar value on each risk It is more objective than a qualitative analysis One drawback to this approach is that many risks have values that are difficult to measure These include reputation and the availability of countermeasures Exact numbers can be difficult to determine, especially the cost of the impact of future events On the other hand, quantitative risk assessments are easier to automate than qualitative assessments Quantitative analysis puts a dollar figure on risk.
Qualitative analysis defines risks based on the severity of their impact and/or probability.
We can combine the two methods With qualitative risk analysis, you can gain a deeper understanding of the overall impact of a disturbance as its ramifications spread throughout an organization It frequently leads to greater departmental communication about how departments must collaborate to limit damage It lacks all of the accurate financial data that a quantitative risk analysis possesses This cost data is typically required to justify countermeasure pricing As a result, you should consider both techniques.
Define assets, threats and threat identification procedures, and give examples
An asset is any item that has value Although all items in an organization have some value, the term asset generally applies to those items that have substantial value An organization’s assets can include the following.
Customer data—Name, address, phone, Social Security number (SSN), date of birth, cardholder data, protected health care information.
IT assets and network infrastructure—Hardware, software, and services.
Intellectual property—Sensitive data such as patents, source code, formulas, or engineering plans.
Finances and financial data—Bank accounts, credit card data, and financial transaction data.
Service availability and productivity—The ability of computing services and software to support productivity for humans and machinery.
Reputation—Corporate compliance and brand image.
A threat is any action that can damage or compromise an asset Threats can come from an individual, a group of individuals, or an organization A threat to a computing device is any action, either accidental or malicious, that can have a negative effect on the assets and resources of an individual or organization The asset might be hardware, software, databases, files, data, or the physical network itself.
A threat is significant from a security viewpoint The goal of computer security is to provide insights, methodologies, and techniques that deal with threats You can achieve this goal by developing policies that help computer and network system administrators, designers, developers, and users avoid undesirable system characteristics and weaknesses. You can identify threats and rank them according to their importance and impact You can rank threats by their potential for dollar loss, negative reputation created, monetary liability, or how often they are likely to occur Each organization may rank a threat higher or lower than another organization does based on its impact to that organization.
The most common threats, in no particular order, include the following:
Threat identification is the process of identifying potential threats to an organization's assets There are several procedures that can be used to identify threats, including:
Conducting a threat assessment: This involves analyzing the organization's environment, operations, and assets to identify potential threats and vulnerabilities.
Reviewing historical data: This involves analyzing past security incidents to identify common threats and attack vectors.
Using threat intelligence: This involves leveraging external sources, such as security blogs and forums, to stay informed about emerging threats and attack techniques.
Conducting security audits and assessments: This involves analyzing the organization's security posture to identify potential vulnerabilities and areas of weakness.
Soliciting input from employees and stakeholders: This involves seeking feedback from employees and stakeholders about potential security risks and threats.
Explain the risk assessment procedure
To evaluate quantified risk, you must first determine the value of an asset as well as the likelihood of a loss This is the event's loss probability It is a multistep process to calculate:
Calculate the asset value (AV): Something of value to a company is considered an asset Buildings are a concrete example of an asset (reputation) Determining all of the organization's assets and their value—that is, the significance of each asset to the organization's capacity to fulfill its mission—is the first stage in the risk assessment process Asset valuation should take into account the cost of replacing any equipment or systems Also, it ought to take into account things like decreased productivity and diminished client confidence.
Calculate the exposure factor (EF): This shows the portion of the asset's value that would be lost in the event of an incident For instance, not all automobile accidents result in total loss Actuaries employed by insurance firms determine the probable percentage loss for each claim They can forecast the exposure factor for each claim and are familiar with the cost of repairs for every make and model Its prediction won't be accurate for any one claim (other from through coincidence), but it will be accurate when applied to hundreds or thousands of claims.
Calculate the single loss expectancy (SLE): The two parameters mentioned above can be used to determine the worth of a single loss Every time an actuary receives a claim, all he has to do is look up the asset value, multiply by the EF, and he will have a pretty excellent estimate of the payout For example, if the EF of a modern SUV is calculated to be 20% This lowers the likelihood that the insurance company will experience financial loss and enables the actuary to calculate insurance rates appropriately.
Determine how often a loss is likely to occur every year this is the risk likelihood, or annualized rate of occurrence (ARO): There are certain AROs that exceed one
For instance, snowstorms frequently occur in Buffalo and Berlin each year Others are probably to occur far less frequently A warehouse fire, for instance, might occur once every 20 years It might be challenging to predict how frequently an occurrence will occur Its assessment may occasionally be impacted by internal or external variables Future outcomes are not always predicted by historical data When there is employee unrest or contract negotiations, incidents like the one that resulted from an internal threat are much more frequent than they are at other times
Determine annualized loss expectancy (ALE): The SLE (the loss resulting from an occurrence) multiplied by the ARO equals the ALE An organization can determine the overall effect of a risk with the use of the ALE The ALE will be substantially lower than the SLE for rare incidents.
Probability or likelihood: Some things—for example, the malfunction of a badge reader on the employee entrance—will seldom happen Other things, such as employees calling in sick, will almost certainly happen.
Impact: Some things—for example, a workstation that fails to boot up—will have a minor impact on productivity Other things, such as a production system breaking down, will have a major impact.
List risk identification steps
The identification of risks is the initial stage in the risk management procedure In order to identify risks, organizations employ a variety of techniques For the same problem, each strategy takes a different approach while identifying as many hazards as feasible The fundamental approach in each case is to assemble a thorough list of hazards using data from numerous sources The following are a few of the more well-liked techniques for risk assessment:
Brainstorming: This technique involves getting unstructured input from members in a group meeting The facilitator should encourage all members to offer suggestions without fear of criticism or ridicule.
Surveys: Organizations that use this technique send lists of prepared questions to participants for input A variety of people from different areas of the organization should be chosen to get the best input The Delphi method is a specific type of survey in which responses are anonymized, shuffled, and sent back out to participants for comment Keeping input anonymous fosters more open dialogue.
Interviews: Interviews, held in either group settings or one on one, can be an effective approach to gather details on risks from the interviewee’s perspective.
Working groups: This technique focuses on soliciting feedback from a group of individuals selected from a specific work area The feedback working groups provide generally helps identify risks in specific areas.
Checklists: Many organizations develop checklists of risks for either their own use or for general distribution Checklists developed for similar organizations or purposes can be helpful to ensure that you cover the breadth of risks.
Historical information: Unless an organization is brand new, it will have some historical information at its disposal This information may be a previously encountered risk identification process, or it may be documentation of things that went wrong in the past Either way, historical information can be valuable to identify current risks.
Explain data protection processes and regulations as applicable to an organisation (P6)
Define data protection
Data protection is the process of defending sensitive information against loss, tampering, or corruption.
Explain data protection process in an organization
Data loss prevention is one method of data security (DLP) Data Loss Prevention (DLP) is a system of security technologies used to detect and recognize data that is essential to the company and make sure it is secured This protection entails keeping an eye on how and by whom the data is accessed DLP’s goal is to protect data from any unauthorized users.
Data can be examined by DLP in one of three states:
Data in-use: Data in-use is data actions being performed by “endpoint devices,” such as creating a report from a desktop computer.
Data in-transit: Actions that transmit the data across a network, like an email sent across the Internet, are called data in-transit.
Data at-rest: Data at-rest is data that is stored on electronic media.
Via DLP, data that is deemed essential to the business or needs to be private can be marked as such The user will be prevented from accessing the data in order to reveal it to an additional unauthorized user.
Content inspection is used by most DLP systems A security evaluation of the transaction inside its authorized environment is what is meant by content inspection In addition to the data's security level, content inspection considers who is making the request, where the data is kept, when it was made, and for what purpose Index matching is a further option for DLP systems The DLP system analyzes documents that have been designated as needing security, such as the source code for a new software application, and performs intricate calculations depending on the analysis.The DLP system can then identify the leaked portion of the document as coming from a protected document if even a little portion of it is exposed.
DLP begins with an administrator creating DLP rules based on the data (what is to be examined) and the policy (what to check for) DLPs can be configured to look for specific data (such as Social Security and credit card numbers), lines of computer software source code, words in a sequence (to prevent a report from leaving the network), maximum file sizes, and file types Because it can be difficult to distinguish a Social Security number from a mistyped telephone number or a nine-digit online order number, DLP can use fingerprinting to more closely identify important data Afingerprint may consist of a Social Security number along with a name to trigger an alarm In addition, whitelists and blacklists can be created to prevent specific files from being scanned These rules are then loaded into a DLP server. There are three main types of DLP sensors since data can be leaked in different ways:
DLP network sensors DLP network sensors are installed on the perimeter of the network to protect data in-transit by monitoring all network traffic This includes monitoring email, instant messaging, social media interactions, and other web applications DLP network sensors can even monitor multiple protocols (including HTTP, SMTP, POP, IMAP, FTP, and Telnet).
DLP storage sensors Sensors on network storage devices are designed to protect data atrest These sensors monitor the devices to ensure that the files on the hard drives that store sensitive data are encrypted They also scan the drives to determine where specific data is stored.
DLP agent sensors These sensors are installed on each host device (desktop, laptop, tablet, etc.) and protect data in-use The DLP agent sensors watch for actions such as printing, copying to a USB flash drive, and burning to a CD or DVD They can also read inside compressed (ZIP) files and binary files (such as older Microsoft Office non-XML files)
Why are data protection and security regulation important?
Because it protects an organization's information from fraud, hacking, phishing, and identity theft, data protection is essential A data protection plan must be developed by each company that wishes to run effectively and ensure the security of its information As more data is generated and kept, the importance of data protection increases Data leaks and cyberattacks may have disastrous results Businesses need to regularly update their security processes and take proactive measures to protect their data Security regulations are essential because they address the many aspects of how data should be managed within an organization These laws are particularly important for mobile devices because they are portable and make data theft simpler.
Design and implement a security policy for an organisation (P7)
Define a security policy and discuss about it
A security policy is essentially a written declaration of how a company wants to protect its IT assets The policy outlines the measures that must be taken to ensure that the organization's assets are not exposed to unwarranted dangers A security policy, along with the supplementary procedures, standards, and guidelines, are crucial for creating information security in a firm
An organization has the power to take the required actions to protect its data when it has a security policy in writing.
The purpose of an organization's information security policy might be varied:
It can be an overall intention and direction, formally expressed by the organization’s management A security policy is a vehicle for communicating an organization’s information security culture and acceptable information security behavior.
It details specific risks and how to address them, and so provides controls that executives can use to direct employee behavior.
It can help to create a security-aware organizational culture.
It can help to ensure that employee behavior is directed and monitored in compliance with security requirements.
Give an example for each of the policies
Reduce your organization's exposure to risks, threats, and vulnerabilities is the main goal of the
IT security policy framework It's crucial to connect policy definition and standards with real- world design specifications The best security controls and countermeasures will be adequately implemented by these requirements Statements of policy must include restrictions as well as mentions of requirements, rules, and processes Policies specify how security measures and controls must be used in order to abide by rules and regulations.
Examples of some basic IT security policies include the following:
Acceptable use policy (AUP): The AUP defines the actions that are and are not allowed with respect to the use of organization-owned IT assets This policy is specific to the User Domain and mitigates risk between an organization and its employees
Security awareness policy: This policy defines how to ensure that all personnel are aware of the importance of security and behavioral expectations under the organization’s security policy This policy is specific to the User Domain and is relevant when you need to change organizational security awareness behavior
Asset classification policy: This policy defines an organization’s data classification standard It tells what IT assets are critical to the organization’s mission It usually defines the organization’s systems, uses, and data priorities and identifies assets within the seven domains of a typical IT infrastructure
Asset protection policy: This policy helps organizations define a priority for mission critical IT systems and data This policy is aligned with an organization’s business impact analysis (BIA) and is used to address risks that could threaten the organization’s ability to continue operations after a disaster− Asset management policy: This policy includes the security operations and management of all IT assets within the seven domains of a typical
Vulnerability assessment and management: This policy defines an organization-wide vulnerability window for production operating system and application software You develop organization-wide vulnerability assessment and management standards, procedures, and guidelines from this policy
Threat assessment and monitoring: This policy defines an organization-wide threat assessment and monitoring authority You should also include specific details regarding the LAN-to-WAN Domain and AUP compliance in this policy.
Give the most and should that must exist while creating a policy
A common set of guidelines is used by many firms when creating security policies The following figure provides a summary of these concepts, which can be separated into what a policy must do and what a policy should do
Figure 1 Policy must and should statements
Explain and write down elements of a security policy
Trust and control are two essential components that must be carefully balanced in a security policy There are three ways to build trust:
Trust everyone all of the time This is the easiest model to enforce because there are no restrictions This model, however, is impractical because it leaves systems vulnerable to attack.
Trust no one at any time This model is the most restrictive, but is also impractical Few individuals would work for an organization that did not trust its employees.
Trust some people some of the time This approach exercises caution in the amount of trust given Access is provided as needed, with technical controls to ensure the trust is not violated.
A security policy strikes a balance between too little and too much trust in order to offer the appropriate level of trust This is accomplished by giving some people a little bit of trust and allowing workers to have just enough access to resources to carry out their duties Choosing the appropriate level of trust can be challenging; too little trust can make it difficult to hire and retain talented individuals, while too much trust might cause security issues.
The second factor that needs to be balanced is control Implementing control is one of a security policy's objectives It might be challenging to determine the appropriate level of control for a given policy The level of control is necessary depends largely on the organization's culture and security requirements Employees will either ignore policies that are excessively strict or difficult to adopt and follow, Figure 6: Policy must and should statements, or they will discover a means to get around the constraints The appropriate level of control that a security policy should cover must be agreed upon by management.
Not all employees are supportive of security procedures since they require striking a balance between control and trust Security procedures are occasionally perceived by employees as a hindrance to their productivity, a means of behavior control, or as a complex set of guidelines This is especially true if policies weren't in place or weren't strictly adhered to in the past Some users merely "give up" and don't care about security or security guidelines, claiming that it is only "IT's duty" to secure the company.
Give the steps to design a policy
Understanding the security policy cycle, defining what a policy is, and being aware of the processes in policy creation are necessary for designing a security policy.
The "rules" that a user adheres to in an organization are referred to by a variety of terms A standard is a group of standards that are unique to the system or method and that everyone must adhere to For instance, a standard might outline how to protect a home computer that connects to the company's network remotely If users wish to be able to connect, they must adhere to these criteria A guideline is a list of recommendations that must be followed. Although they are highly advised, these are not essential A policy is a written statement of the precise conditions or guidelines that must be followed.
2 The cycle of security policy
The majority of firms build and manage security policies using a three-phase cycle.
A vulnerability assessment is a systematic and methodical review of how exposed assets are to potential harm from attackers, natural disasters, or other entities in the first phase The goal of vulnerability assessment is to determine what needs to be protected (asset identification), how vulnerable the current protection is (vulnerability appraisal), how serious the threats could be (risk assessment), and what should be done about it (risk mitigation) Included in the vulnerability evaluation are:
Asset identification: Asset identification determines the items that have a positive economic value, which may include data, hardware, personnel, physical assets, and software Along with the assets, the attributes of the assets need to be compiled and their relative value determined.
Threat identification: After the assets have been inventoried and given a relative value, the next step is to determine the threats from threat agents A threat agent is any person or thing with the power to carry out a threat against an asset.
Vulnerability appraisal: After the assets have been inventoried and prioritized, and the threats have been determined, the next step is to determine what current security weaknesses might expose the assets to those threats This is known as vulnerability appraisal and in effect takes a snapshot of the security of the organization as it now stands.
Risk assessment: A risk assessment involves determining the damage that would result from an attack and the likelihood that the vulnerability is a risk to the organization
Risk mitigation: Once the risks are determined and ranked, the final step is to determine what to do about the risks It is important to recognize that security weaknesses can never be entirely eliminated; some degree of risk must always be assumed.
Using the data from the risk management study to develop the policy is the second stage of the security policy cycle A security policy is a document, or set of documents, that outlines the safeguards a company will use to protect its data Also, it describes the organization's response to assaults as well as the obligations and responsibilities of each employee with regard to information security.
The final phase is to review the policy for compliance Because new assets are continually being added to the organization, and new threats appear against the assets, compliance monitoring and evaluation must be conducted regularly The results of the monitoring and evaluation (such as revealing that a new asset is unprotected) become identified as risks, and the cycle begins again The security policy cycle is illustrated in Figure below:
Figure 2 The cycle of security policy
A common set of guidelines is used by many firms when creating security policies These guidelines can be further broken down into what a policy must do and what a policy ought to do It is recommended that a team, rather than just one or two security or IT specialists, establish the security policy The task of creating the first draft of the security policy should be delegated to the security policy development team They should also decide which groups must review each step of the security policy cycle, finish the necessary approval steps, and decide how the security policy will be implemented The team should ideally include the following individuals:
Member of management who can enforce the policy
Member of the legal staff
Representative from the user community
The team should first determine the goals and scope of the policy While the scope should outline who is covered by the policy, the goals should outline the objectives of the policy
The organization must also decide how explicit the policy should be, keeping in mind that a security policy is not intended to be a comprehensive implementation strategy For instance, a clause requiring employees to take vacation days could specify either the number of vacation days they must take or both
Frequently, statements on suitable treatment are also provided In legal and professional contexts, the term "due care" is frequently employed It is described as the obligations put on asset owners and operators to maintain the assets in a reasonable state of care and to take the necessary safety precautions.
The appropriate amount of caution is that which a reasonable person would employ in the circumstances Information security policies typically use the term "due care" to refer to the ordinary care that a worker would exercise when using computer equipment Examples of appropriate care include:
Employees will exercise due care in opening attachments received from unknown sources (a reasonable person should not open an attachment from an unknown source because it may contain malware).
Technicians will exercise due care when installing a new operating system on an existing computer (a reasonable person would not set up a “Guest” account or leave the new password written down and affixed to the monitor).
Students will exercise due care when using computers in a lab setting (a reasonable person would be aware that many students in a crowded lab could see a password that is entered)
Many organizations follow these additional guidelines while developing a policy:
Provide users with prior notice that a new security policy is being created and provide an explanation of its necessity.
Give a representative group of those impacted by the policy a chance to review and comment on it.
Give users at least two weeks to examine and comment on the policy before rollout.Provide users who have been assigned tasks in a policy the power to fulfill those duties.
List the main components of an organisational disaster recovery plan, justifying the reasons for
Discuss with explanation about business continuity
A company's capacity to continue providing goods and services in the face of a disruptive incident is known as business continuity An occurrence might be as straightforward as an electrical outage or as disastrous as a Category 5 hurricane Identifying threats, developing preventive and recovery plans, and testing them to see whether they work are all steps in the business continuity planning and testing process.
Business continuity testing and planning, in essence, are intended to make sure that an organization can continue to operate (continuity of operations) in the case of a natural (flood, storm, earthquake, etc.) or man-made (plane crash, terrorist attack, denial-of-service assault, etc.) disaster It may also involve succession planning, which is deciding in advance who will be allowed to take over in the event that important personnel become incapacitated or pass away.
List the components of recovery plan
A DRP is a written document that describes how to restore IT resources after an incident that results in a severe service disruption A DRP is meant to be comprehensive in scope and a thorough document that is updated frequently Although every disaster recovery plan is unique, the majority address the elements found in the following standard outline:
The reason for the plan and what it encompasses are clearly outlined Those incidences that require the plan to be enacted also should be listed Topics found under Unit 1 include: Introduction
Types of computer service disruptions
The team that is responsible for the direction of the disaster recovery plan is clearly defined It is important that each member knows her role in the plan and be adequately trained This part of the plan is continually reviewed as employees leave the organization, home telephone or cell phone numbers change, or new members are added to the team The Unit 2 DRP addresses the following:
Organization of the disaster/recovery team
Recovery team leaders and their responsibilities
A DRP lists the entities that could impact an organization and also the procedures and safeguards that should constantly be in force to reduce the risk of the disaster Topics for Unit 3 include:
The Emergency Procedures unit answers the question, “What should happen when a disaster occurs?” Unit 4 outlines the step-by-step procedures that should occur, including the following:
After the initial response has put in place the procedures thatallow the organization to continue functioning, this unit addresses how to fully recover from the disaster and return to normal business operations This unit should include:
Scope of limited operations at central site
Scope of limited operations at central site
Write down all the steps required in disaster recovery process
All staff members should have comprehensive catastrophe response training Staff members frequently make the error of being overly anxious to start the healing process Even though your organization spent a lot of time and money creating a DRP, you must make sure that you act in response to the crisis rather than the plan The following are essential actions to take when responding to a disaster:
Ensure everyone’s safety first: No other resource is as important as people.
Respond to the disaster before pursuing recovery: Required response and containment actions depend on the nature of the disaster and may not have anything to do with the recovery effort.
Follow the DRP, including communicating with all affected parties: Once your people are safe and you have responded to the disaster, you can pursue recovery actions.
Disaster recovery is an extension of the DRP It addresses recovering from common system outages or interruptions A disaster is generally larger than a common outage, and the resources may not be available to enact simple recovery solutions For example, most database management systems enable you to quickly recover the primary database from a replicated copy However, if a disaster has resulted in the destruction of your database server computer, you’ll have to restore the server to a stable state before you can restore your database data
Explain some of the policies and procedures that are required for business continuity
Acceptable Use Policy (AUP): An Acceptable Use Policy (AUP) defines the actions users may perform while accessing systems and networking equipment
Privacy Policy: Because privacy is of growing concern, many organizations have a privacy policy that outlines how the organization uses information it collects.
Data Policies: Data policies address the different aspects of how data should be handled within an organization.
Security-Related Human Resource Policy: Policies of the organization that address security as it relates to human resources are known as a security-related human resource policy.
Ethics Policy: An ethics policy is a written code of conduct intended to be a central guide and reference for employees in support of day-to-day decision making.
Password Management and Complexity Policy: A password management and complexity policy addresses how passwords are created and managed.
Basic Forensics Procedures: When responding to a criminal event that requires an examination using computer forensics, four basic steps are followed, which are similar to those of standard forensics The steps are: secure the crime scene, preserve the evidence, establish a chain of custody, and examine the evidence.
Incident Response Procedures: In an event that requires an incident response, general incident procedures should be followed These include: o Preparation The key to properly handling an event is to be prepared in advance by establishing comprehensive policies and procedures. o Execution Putting the policies and procedures in place involves several crucial steps The incident first must be properly identified, and then key personnel must be notified and the procedures escalated as necessary Damage and loss control steps should be taken to mitigate damage, particularly in the event of a data breach. Equipment must be isolated by either quarantine or the entire removal of the device itself Once secured, the recovery procedures may begin. o Analysis In the aftermath, proper reporting should document how the event occurred and what actions were taken In addition, a “lessons learned” analysis should be conducted in order to use the event to build stronger incident response policies and procedures in the future.
Classification Procedures: Classification procedures are critical to effective data classification Before implementing these procedures, it’s vital that you first determine their scope and process Classification scope determines what data you should classify; classification process determines how you handle classified data You must label and mark all resources properly By adhering to strong procedures, you’ll be ready for any upcoming audits
Change Control Procedures: Change control procedures ensure that a change does not happen without following the right steps This helps you avoid problems such as scope creep, which allows unauthorized changes to sneak into a system It also helps avoid problems caused by lack of oversight, by lack of testing, or by making changes without proper authorization.
Ciampa, M., 2014 Security + Guide to network security fundamentals 5th ed s.l.:Cengage Learning.Kim, D & Solomon, M G., 2015 Fundamentals of Informa琀椀on Systems Security 3rd ed s.l.:Jones & Bartle琀琀 Learning.