BCS2014

Cyber Security

Lecture 6:
Safety in Digital World
Learning Objectives
• List the elements of key information security management practices
• Discuss information security constraints on general hiring processes
• Explain the role of information security in employee terminations
• Describe the security practices used to regulate employee behavior
and prevent misuse of information
• Discuss the Cybersecurity metrics, advantages and challenges
• Describe the key components of , and suitable strategies for the
implementation of, a security performance measurement program
• Discuss the benchmarking and baselining
Introduction to Security Practices
• Value proposition – organizations strive to deliver the most value with
a given level of investment
• The development and use of sound and repeatable information
security (InfoSec) management practices can bring the organizations
closer to meeting this objective
• Challenge that seldom be considered in organization:
The need for a close working relationship between (1) information security,
(2) the HR department, and (3) every department that is engaged in
personnel management, specifically in hiring, evaluating and terminating
employees
Introduction to Security Practices
• Why need close working relationship?
• Part of each phase of the personnel management life cycle could potentially
result in a risk to the security of the organization’s information assets
• To overcome the challenge
• InfoSec should share the responsibility of educating the rest of the
organization on how to avoid accidental information disclosure

• Executive and supervisory groups want assurance 保证 that

organizations are
• working toward the value proposition
• Measuring the quality of management practices
Security Employment Practices
• The general management community of interest should integrate 整
合 solid InfoSec concepts across all the organization’s employment
policies and practices. This covers:
• Hiring
• Contracts and employment
• Security expectations in the performance evaluation
• Termination issues
• Personnel security practice
• Security of personnel and personal data
• Security considerations for temporary employees, consultants and other
works
 Security Employment Practices –
Hiring
• The hiring of employees is laden
with potential security pitfalls
• So, InfoSec considerations
should become part of the
hiring process

Some of the hiring concerns 

Source: Whitman, M. E., & Mattford, H. J. (2019). Management of Information Security (6th
ed.). Cengage Learning. ISBN: 9781337671545
Security Employment Practices –
Hiring
• InfoSec into the hiring process (job description)
Review and update job descriptions to include InfoSec responsibilities
Screen for unwanted disclosures 不必要的披露。 . Example: advertising
open positions  omit 忽略 description about access privileges 特权 or
type of sensitive information to which the position would have access

• Job description should be focused on the skills and abilities needed by

the candidate; avoid describing the organization’s
systems and security
Details of access or responsibilities the new hire will have
Security Employment Practices –
Hiring
Interviews
• If a position within the InfoSec department opens, the security
manager should educate HR personnel on the (1) various
certifications, (2) the specific experience each credential requires and
(3) the qualifications of a good candidate

• If a job interview includes a site visit 现场参观 , the tour should avoid
secure and restricted sites.
• The candidate is not yet bound 限 by organizational policy or employment
contract
Security Employment Practices –
Hiring
Background checks
• Should be conducted before the organization extends an offer to any
candidate
• Can uncover past criminal behavior or other information that suggests
a potential for future misconduct
• Background checks differ in their levels of details and depth:
• Military background check V.S InfoSec positions background check
Security Employment Practices –
Contracts and Employment
• Once a candidate has accepted a job offer, the employment contract
becomes an important security instrument
• Job candidates can be offered “employment contingent upon
agreement” 就业以协议为准”
• They are not formally hired into a position unless they agree to the binding
organizational policies
• Once the candidate signs the security agreements, the remainder of the
employment contract may be executed 被处决
Security Employment Practices –
Contracts and Employment
New Hire Orientation
• New employees should receive an extensive InfoSec briefing
• Should cover policies, security procedures, access levels and training
on the secure use of information systems
• Ready to report to their position: they should be thoroughly briefed
on the security component of their particular jobs, the rights and
responsibilities
Security Employment Practices –
Contracts and Employment
On-the-job security training
• The periodic Security Education Training and Awareness (SETA)
activities should be conducted
• Keep security at the forefront of employee’s minds
• Minimize employee mistakes

• Formal external and informal internal seminar 正式的外部和非正式

的内部研讨会
• Increase the level of security awareness for all employees, especially for
InfoSec employees
Security Employment Practices –
Contracts and Employment
Security Employment Practices –
Security Expectations in the Performance Evaluation
• Organizations should incorporate InfoSec components into employee
performance evaluations
• Why?
• Example of review comment related to security accountabilities in the
assessment areas and evaluation criteria:

Alice is meticulous in her management of classified documents…..

Bob worked tirelessly to safeguard the newly developed intellectual property

his team was responsible for …..
Security Employment Practices –
Termination Issues
• When an employee leaves an organization, the former employee’s
Access to the organization’s system must be disabled
Must return all organizational property
Hard drives must be secured
File cabinet locks must be changed
Office door locks must be changed
Keycard access must be revoked 撤销
Personal effects must be removed from the premises 个人物品必须移出场
所
Should be escorted from the premises once the organizational properties
have been turned over 组织财产移交后应护送离开场所
Security Employment Practices –
Termination Issues
• Organizations should conduct an exit interview to remind the
employee
of any contractual obligations 合同义务
That failure of comply 遵守 with contractual obligations could lead to civil or
criminal action

• From a security standpoint, voluntary or involuntary termination

inevitably brings a risk of exposure of organizational information
Security Employment Practices –
Personnel Security Practices
• There are various ways to monitor and control employess for minizing
their opportunities to misuse information
• Separation of duties (also known as segregation of duties) make it
difficult for an individual to violet InfoSec and breach the
confidentiality 个人很难接触信息安全并违反机密性， , integrity or
availability of information.
• Example: bank issues a cashier’s cash (prepare the check; sign the check)
• Separation of duties can be applied to critical information and
information system
• Example: update a software; apply the tested update to the production
system
Security Employment Practices –
Personnel Security Practices
• This checks-and-balances method requires two or more people to
conspire/ collaborate to commit a theft or other misadventure, which
is known as collusion 这种制衡方法需要两个或两个以上的人密谋
/ 合作实施盗窃或其他不幸事件，这被称为共谋
• Other words: collusion is a conspiracy or cooperation between two or more
individuals or groups to commit illegal or unethical actions
• Two people will be able to collaborate successfully to misuse the
system are much lower than one person doing so.
• Two-person control (dual control) : the organization of a task or
process such that it requires at least two individuals to work together
to complete
Security Employment Practices –
Personnel Security Practices
Security Employment Practices –
Security of Personnel and Personal Data
• Organizations are required by law to protect sensitive or personal
employee information:
• Personal identifiable information (address, phone numbers)
• Medical conditions
• Other protected health information
• Even names and addresses of family members
• This responsibility also extends to customers, patients and anyone with
whom the organization has business relationships
• InfoSec procedures should ensure that this data receives as least the
same level of protection as the other important data in the organization
Security Employment Practices –
Security Considerations for Temporary Employees,
Consultants and other Workers

• Relationship with people in this category should be carefully managed

to prevent threats to information assets
• Temporary workers
Are brought in by organizations to fill position temporarily or to supplement
the existing workforce
Because they are not employed, they may not be subject to the contractual
obligations or general policies that govern other employees
 If a temp violates a policy or causes a problem, the strongest action that the host
organization can take is to terminate the relationship with the individual and request
that he be censured 终止与该人的关系并要求对其进行谴责
Temporary workers’ access to information should be limited to what is
necessary to perform their duties
Security Employment Practices –
Security of Personnel and Personal Data
• Contract employees
Called contractors
Are hired to perform specific services for the organization
Examples:
 Groundskeepers, maintenance services staff, electricians, other repair people
 Professionals: technical consultants, IT specialists, pen testing experts etc.
Professional contractors may require access to all or specific facilities, they
should not be allowed to wander freely in and out of building
In a secure facility, all service contractors are escorted 护送 from room to
room, and into and out of the facility
Security Employment Practices –
Security of Personnel and Personal Data
• Consultants
Organizations sometimes hire self-employed or agent contractors ( called as
consultants) for specific tasks or projects
Consultants have their own security requirements and contractual
obligations; their contract should specify their rights of access to information
and facilities
These professionals (consultants) may request permission to include the
business relationship on their resumes or promotional materials. But the
hiring organization is not obligated to grant this permission and can explicitly
deny it. 没有义务授予此许可，并且可以明确拒绝。
Apply the principle of least privilege 最小特权 when working with
consultants
Security Employment Practices –
Security of Personnel and Personal Data
• Business partners
Businesses sometimes engage in strategic alliances 战略联盟 with other
organizations to exchange information, integrate systems or enjoy some other
mutual advantage
Security Employment Practices –
Security of Personnel and Personal Data
• Business partners
A prior business agreement 事先商业协议 must specify the levels of
exposure that both organizations are willing to tolerate
Nondisclosure agreements are an important part of any such collaborative
effort 保密协议是任何此类合作努力的重要组成部分
The level of security of both system (both organizations) must be examined
before any physical integration 物理整合 takes places
Risk: system connections means that vulnerability 脆弱性 on one system
becomes vulnerability for all those linked systems
Security Metrics 安全指标
• As defined by the National Institute of Standards and Technology
(NIST), metrics are tools that are designed to facilitate decision-
making and improve performance and accountability through
collection, analysis, and reporting of relevant performance-related
data. 通过收集、分析和报告相关绩效数据，促进决策并提高绩
效和问责制。
• Without good metrics, analysts cannot answer many security related
questions. Some examples of such questions include
• “Is our network more secure today than it was before?”
• “Have the changes of network configurations improved our security posture?”
Security Metrics
• The ultimate aim of security metrics is to ensure business continuity
(or mission success) and minimize business damage by preventing or
minimizing the potential impact of cyber incidents.
• To achieve this goal, organizations need to take into consideration all
information security dimensions, and provide stakeholders detailed
information about their network security management and risk
treatment processes.
Cyber Security Metrics
• A cybersecurity metric contains the number of reported incidents, any
fluctuations 波动 in these numbers as well as the identification time
and cost of an attack. Thus, it provides stats that can be used to
ensure the security of the current application.

• Organizations get the overall view of threats in terms of time, severity,

and number. It is important today when this data keeps fluctuating.
This way the organizations can maximize protection from threats in
the future.
 Cybersecurity Metric
A Cybersecurity metric assists the organization in the following ways:

• It facilitates 促进 decision-making and improves overall performance and

accountability.
• It helps in setting quantifiable measures based on objective data in the metric.
• It helps in making corrections in an efficient way.
• It brings together all the factors like finance, regulation, and organization to
measure security.
• It maintains the log of every individual system that has been tested over the
years.
Cybersecurity Metrics
Here is a list of some important cybersecurity metrics that portray the current threat
scenario really well.

• A number of systems have vulnerabilities: A very important cybersecurity metric is to

know where your assets lag. This helps in determining risks along with the
improvements that must be taken. This way the vulnerabilities can be worked upon
before anyone exploits them.
• Mean detection and response time: The sooner a cybersecurity breach 违 反 is
detected and responded to, the lesser will be the loss. It is important to have systems
that reduce the mean detection and response time.
• Data volume over a corporate network: Employees having unrestricted access to the
company’s internet may turn out into a disaster. If they use the company’s resources to
download anything, it might lead to the invasion of malware.
Cont.
• Review of frequency of third party access: Third parties might have
to access the network of a company to complete any project or
activity. Thus, monitoring their access is important to identify any
suspicious activity that might be undergoing at their end.
• Partners with effective cybersecurity: A company may have full
control over its cybersecurity policies but you never know if the other
business partners are as conscious 有 意 识 的 as you. Thus, the
higher the number of partners with strict cybersecurity policies, the
lesser the chances of cyberattacks.
Advantage of using metrics:
• For learning: To figure out different information pertaining to a system, we
have to start by asking questions. These questions will lead us to answers
and then in turn to information.

• For Decision Making: When we use a metric to gain information about a

system, we can extend its use even further by gaining insight into previous
decisions.

• For Implementation of Plans: After analyzing the loopholes in the system

and making decisions on how to go about rectifying them, it is time to take
action.
Challenges with a Cybersecurity Metric:
• It tracks the activity but does not say anything about outcomes. This is
a major limitation because the outcome adds more value.
• The metric provides a simple dashboard having the security status of
a company. However, in the process, it reveals key information about
how prepared the organization is.
• There exists a huge communication gap between the security function
and the people that they report to. Thus, the metric becomes
incomprehensible 难以理解的 for management.
Information Security Performance
Measurement
• InfoSec performance management is the process of designing,
implementing and managing the use of the collected data elements
(called measurements/ metrics) to determine the effectiveness of the
overall security program
• Performance measurements are the data points computed from such
measurements that may indicate the effectiveness of security
countermeasures or controls (technical and managerial) as implemented
in the organization
• Those control approaches that are not effective should be modified or
replaced
• Those are effective should be supported and continued
Information Security Performance
Measurement
• Why need security performance measurement?
Supports managerial decision
Increasing accountability
Improving the effectiveness of the InfoSec function
• Organizations use 3 types of measurements:
• Those that determine the effectiveness of the execution of InfoSec policy
• Those that determine the effectiveness of the delivery of InfoSec services
(including managerial and technical services)
• Those that assess the impact of an incident or other security event on the
organization
Information Security Performance
Measurement
• When an organization applies statistical and other quantitative forms
of mathematical analysis to the data points collected in order to
measure the activities and outcomes of the InfoSec program, it is
using InfoSec metrics
• Managing the user of InfoSec performance measurements requires
commitment from the InfoSec management team.
• It consumes resources (people’s time, hardware cycles, special software)
• The result of the effort must be periodically and consistently reviewed
 Information Security Performance Measurement -
building the performance measurement program
• The InfoSec
measurement
development process
can be divided into 2
major activities 

Source: Whitman, M. E., & Mattford, H. J. (2019). Management of Information Security (6th
ed.). Cengage Learning. ISBN: 9781337671545
Information Security Performance Measurement -
building the performance measurement program
• Phase 1
• Identify relevant stakeholders and their interests in InfoSec measurement
• Primary stakeholders  with key responsibilities or data ownership
• Secondary stakeholders  relevant tasks in their jobs
• Phase 2
• Identify and document the InfoSec performance goals and objectives
• Phase 3
• Focus on organization-specific InfoSec practices
• How security controls should be implemented
• Any specific policies and procedures that define the baseline of the practices
Information Security Performance Measurement -
building the performance measurement program
• Phase 4
• Review the existing measurements and data repositories 查看现有的测量和
数据存储库
• Applicable information is extracted and used
• Phase 5, 6 and 7
• Track process implementation, effectiveness and mission impact

Source: Whitman, M. E., & Mattford, H. J. (2019). Management of Information Security (6th
ed.). Cengage Learning. ISBN: 9781337671545
Information Security Performance Measurement -
specifying InfoSec measurements
• One of the critical tasks in the measurement process is to assess and
quantify what will be measured
• Must obtain more detailed measurements
• Measurements collected from production statistics depend greatly on
the number of systems and the number of users of the system
• Link the outcome of each project, in term of loss control or risk
reduction, to the recourses consumed
Information Security Performance Measurement -
collecting InfoSec measurements
• Designing the collection process requires thoughtful consideration of the
intent of the measurement along with a thorough knowledge of how
production services are delivered
• One of the priorities in building an InfoSec process measurement
program is determining whether these measurements are:
• Macro-focus or
• Micro-focus
• Macro-focus measurements: examine the performance of the overall
security program
• Micro-focus measurements: examine the performance of an individual
control or group of controls within the InfoSec program
Information Security Performance Measurement -
collecting InfoSec measurements
• It is important to ensure that individual metrics are prioritized in the
same manner as the processes that they measure
• Low-, medium- or high-priority ranking system
• Weighted scale approach – assigning values to each measurement based on
its importance in the overall InfoSec program
• Literally, hundreds of measurements could be used; only those
associated with appropriate-level priority activities should be
incorporated
Information Security Performance Measurement -
implementing InfoSec performance measurements
• Once developed, InfoSec performance measurements must be
implemented and integrated into the ongoing InfoSec management
operations
• Performance measurement is an ongoing and continuous
improvement operation
• The collection of all measurement data should be part of standard
operating procedure across the organization
Information Security Performance Measurement -
reporting InfoSec performance measurements
• In most cases, simply listing the performance measurements collected
does not adequately convey their meaning
• E.g: a line chart showing the number of malicious code attacks occurring per
day
• May provide more info  the number of new malicious code variants on the
Internet in that time period (take precaution)
• How to do reporting? - present correlated metrics
• use pie, line, scatter or bar charts?
• Which colors denote which kinds of results
Information Security Performance Measurement -
reporting InfoSec performance measurements
• Must consider to whom the results of the performance measurement
program should be disseminated?
• How they should be delivered?
• Usually, these types of reports are presented in meetings with key
executive peers 这些类型的报告是在与主要执行同行的会议上提
出的
• It is seldom advisable to broadcast complex metrics-based reports to
large groups, unless the key points are well established and
embedded in a more complete context, such as a press release
 Information Security Performance Measurement -
reporting InfoSec performance measurements
• Many organizations choose
to implement a
consolidated summary of
key performance
measurements using a
dashboard of security
indicators 使用安全指标仪
表板实施关键绩效衡量的
综合摘要

Source: Whitman, M. E., & Mattford, H. J. (2019). Management of Information Security (6th
ed.). Cengage Learning. ISBN: 9781337671545
Benchmarking 标杆管理
• Benchmarking is an attempt to improve information security practices
by comparing an organization’s efforts against practices of a similar
organization or an industry-developed standard
• with other organizations similar in size, structure or industry

• Two categories of benchmarks are used:

• Standards of due care/ due diligence 尽职调查 / 尽职调查的标准
• Recommended practices
Benchmarking
Standard of due care 尽职调查 / 尽职调查的标准

• For legal reasons, certain organizations may be compelled to adopt a stipulated

minimum level of security 某些组织可能被迫采用规定的最低安全级别
• These organizations may need to verify that they have done what any prudent
organization would do in similar circumstances

Recommended Security Practices

• Security efforts that seek to provide a superior level of performance in the protection of
information 在信息保护方面提供卓越的性能水平
• These practices balance the need for information access with the need for adequate
protection while demonstrating fiscal responsibility
Baselining 基线
Is a value or profile of a performance metric against which changes in
the performance metric can be usefully compared.

An example:
A baseline for the number of attacks per week that an organization
experiences. In the future, this baseline can serve as a reference point
to determine whether the average number of attacks is increasing or
decreasing.