Cybersecurity Policies

and Issues CYB238

Module 1
Outline

1.Overview of the cybersecurity landscape

2.Data Classification
3.Common types of cyber threats, and attacks Vulnerabilities, Risks, and Controls
Cyber security
landscape

The following are critical elements to remember

about cybersecurity:
• Cybersecurity is primarily focused on the
protection of networks and electronic information
systems.
• Cybersecurity often focuses on the vulnerabilities
and threats of an information system at the
tactical level. System scanning, patching, and
secure configuration enforcement are common
foci of cybersecurity.
• Intrusion detection and incident response and
other functions commonly run from a security
operations centre (SOC) are often identified as
cybersecurity functions.
Cyber security Roles
• Information security analyst

• Information security Specialist

• Digital Forencis examiner
• IT auditor
• Security system adininstrator
• Penetration tester
• Security engineer
• Security architect
• Cryptography engineer
• Cybersecurity manager
Data Classification

Data classification, in the context of information

security, is the classification of data based on its
level of sensitivity and the impact to the
organization should that data be disclosed, altered
or destroyed without authorization. The
classification of data helps determine what baseline
security controls are appropriate for safeguarding
that data. All institutional data should be classified
into one of three sensitivity levels.
 Data Classification

Classification Definition
Restricted Data should be classified as Restricted when the unauthorized disclosure, alteration or
destruction of that data could cause a significant level of risk to the University or its
affiliates. Examples of Restricted data include data protected by state or federal privacy
regulations and data protected by confidentiality agreements. The highest level of security
controls should be applied to Restricted data.
Private Data should be classified as Private when the unauthorized disclosure, alteration or
destruction of that data could result in a moderate level of risk to the University or its
affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or
Public data should be treated as Private data. A reasonable level of security controls
should be applied to Private data.
Public Data should be classified as Public when the unauthorized disclosure, alteration or
destruction of that data would result in little or no risk to the University and its affiliates.
Examples of Public data include press releases, course information and research
publications. While little or no controls are required to protect the confidentiality of Public
data, some level of control is required to prevent unauthorized modification or destruction
of Public data.
 1. An organization’s board of directors has recently experienced a substantial change in
leadership. The new members of the board have demanded an external audit for internal
control and information assurance. What should the president or leader of the
organization be prepared to provide to ensure the board is comfortable with the audit
results?
Exercises 2. The senior leadership of a large organization has never considered the need for
information assurance in the organization’s operations. After a series of attacks have
crippled similar competitors, senior leadership is now concerned about information
assurance. The information technology staff (both in-house and outsourced) has assured
senior leadership repeatedly that there is nothing to worry about. Are they right?
Exercise 1 Solution
•An organization's board of directors has recently experienced a substantial change in leadership. The
new members of the board have demand internal audit for internal control in information assurance.
What should the president or leader of the organization be prepared to provide to ensure the board is
comfortable with the audit results?
•The President should understand the organization and the business or mission of the organization
and how it relates to information assurance. The audit will most likely focus on internal controls that
include regulatory requirements and separation of Duties to prevent fraud. The audit will also cover
how well the organization has identified its critical assets, services, vulnerabilities. Organization that
has information assurance as part of its corporate culture and operations will experience a difficult
audit.
Exercise 2 Solution
•The senior leadership of a large organization has never considered the need for information
assurance in the organization's operations. After a series of attacks has tripled similar competitors,
senior leadership is now concerned about information assurance. Information Technology staff (both in
house and outsourced) assured senior leadership repeatedly that there is nothing to worry about. Are
they right?
•The senior leaders of the organization should demand an information assurance function be
developed and a permanent information assurance program to be established. The information
assurance programs primary responsibility will be to enable the mission of the organization while
bringing visibility into the wrist the organization is assuming. The information assurance program will
be authorized to perform risk assessments against both in house and outsourced IT to provide
unbiased risk information to senior leadership in the board of directors if necessary.
Assets, Threats,
Vulnerabilities,
Risks, and Controls
• The combination of
vulnerabilities and threats
contribute to risk.
• To mitigate and control risks
effectively, organizations
should be aware of the
shortcomings in their
information systems and
should be prepared to tackle
them in case the
shortcomings turn into threats
to activities or business.
Definitions: Assets, threats, vulnerabilities, risk and controls

An Asset is anything valuable to the organization. An information asset, if compromised, may cause
losses should it be disclosed, be altered, or become unavailable. An information asset can be tangible or
intangible, such as hardware, software, data, services, and people. The losses can also be tangible or
intangible, such as the number of machines or a smeared reputation.

Threats are potential events that may cause the loss of an information asset. A threat
may be natural, deliberate, or accidental.

Vulnerabilities are weaknesses exploited by threats. They are threat independent,

and if exploited, they allow harm in terms of the CIA triad. Examples of vulnerabilities
include software bugs, open ports, poorly trained personnel, and outdated policy. You
can find a more complete list of vulnerabilities in Appendix C.
Definitions: Assets, threats, vulnerabilities, risk and controls

A risk expresses the chance of something happening because of a threat

successfully exploiting a vulnerability that will eventually affect the organization.
Examples of impact are loss of competitive edge, loss of confidential information,
systems unavailability, failure to meet a service level agreement, and tarnished
reputation.

To manage risks, controls are established. Controls are protective measures or

mechanisms that reduce risks. The types and likelihood of threats vary based on
the nature of the business, location, and time. The next section discusses the
general threats found in a typical IT environment.
Assets, Threats,
Vulnerabilities,
Risks, and Controls
• The combination of
vulnerabilities and threats
contribute to risk.
• To mitigate and control risks
effectively, organizations
should be aware of the
shortcomings in their
information systems and
should be prepared to tackle
them in case the
shortcomings turn into
threats to activities or
business.
Relationships
between threats,
vulnerabilities,
and controls to
risks.
Relationships
Between Assets,
Threats,
Vulnerabilities,
And Controls To
Risks
Common Threats

• Errors and Negligence

• Fraudulent and Theft Activities
• Malware
• Attackers
Critical Thinking Exercises
1.What assets or services do you think your organization considers critical for success? What is
your organization’s responsibility for those assets or services, and how are they are currently
protected? How do you know an appropriate level of due diligence and due care is being
practiced in relation to your organization’s use of information systems and data?

2. A member of your team informs you that the organization can purchase insurance for
breaches of personally identifiable information (PII) and financial data such as credit card
information. The insurance will cost less than the information assurance program proposed by
the CISO. Would you purchase the insurance at the expense of an information assurance
program?

3. A breach has occurred, and according to the organization’s web site privacy policy and terms
of service, your customers agreed to whatever level of security the organization deemed
sufficient and reasonable. Is the organization protected from retaliation from customers or other
entities?