SlideShare a Scribd company logo

Chapter 1 Best Practices, Standards, and a Plan of Action.pptx

Download as PPTX, PDF
K
kevlekalakala

This document provides a summary of key cybersecurity frameworks and standards. It begins with definitions of cybersecurity and discussing objectives like availability, integrity, and confidentiality. It then outlines several important frameworks, including ISO 27001 which defines requirements for an information security management system, the NIST Cybersecurity Framework which provides guidance on managing cybersecurity risks, and the CIS Critical Security Controls which define controls for effective cyber defense. It also discusses standards like PCI DSS for payment security and ISO 27002 which provides best practice recommendations. Overall, the document introduces the most influential cybersecurity frameworks and standards used to help organizations design and implement effective security practices.

Career
1 of 35
Download to read offline
1
2
3
4
Most read
5
Most read
6
Most read
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
WELCOME TO RICHFIELD First Semester –Year 2021 Module Name: Cybersecurity 700 SLIDES
Introduction
Introduction • This chapter begins with a definition of cybersecurity and a discussion of the importance of standards and best practices documents in cybersecurity. • The sections that follow look at the most significant sources of these documents for effective cybersecurity management. • Finally, this chapter provides a discussion of the effective use of standards and best practices documents.
Defining Cyberspace and Cybersecurity • Cyberspace: consists of artifacts based on or dependent on computer and communications technology; the information that these artifacts use, store, handle, or process; and the interconnections among these various elements.  An example of cyberspace is the home of Google, Yahoo and Facebook etc. • Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that are used to protect the cyberspace environment and organization and user’s assets.
A more extensive list of cybersecurity objectives includes the following: The CIA or AIC Triad (Availability, Integrity and Confidentiality) • Availability: The property of a system or a system resource being accessible or usable or operational upon demand. It involves the following aspects:  Recovery  Backups  Redundancy  Protect against threats
A more extensive list of cybersecurity objectives includes the following: The CIA or AIC Triad • Integrity : Messages or data cannot be modified without detection.  Making sure that attackers cannot compromise data integrity  User mistakes o File deletion o Data input errors  Least Privilege o Restrict system files o Database rights and permission
A more extensive list of cybersecurity objectives includes the following: The CIA or AIC Triad • Confidentiality: The property that data is not disclosed to system entities unless they have been authorized to know the data. It involves the following:  Attacking confidentiality o Password files o Social Engineering  Data encryption o Storage o Transmission
Two related terms should be mentioned: • Information security (Infosec): The main aim of InfoSec is to ensure confidentiality, integrity, and availability of company information. It allows organizations to protect digital and analog information. • Network security: Protection of networks and their services from unauthorized modification, destruction, or disclosure and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. • Cybersecurity encompasses information security, with respect to electronic information, and network security. Information security also is concerned with physical (for example, paper-based) information.
The Value of Standards and Best Practices Documents • The development, implementation, and management of a cybersecurity system for an organization are extraordinarily complex and difficult. • A wide variety of technical approaches are involved, including cryptography, network security protocols, operating system mechanisms, database security schemes, and malware identification. • The areas of concern are broad, including stored data, data communications, human factors, physical asset and property security, and legal, regulatory, and contractual concerns. • And there is an ongoing need to maintain high confidence in the cybersecurity capability in the face of evolving IT systems, relationships with outside parties, personnel turnover, changes to the physical plant, and the ever-evolving threat landscape.
• ISF: Provide practical and comprehensive guide to identifying and managing information security risks in organizations. • ISO: Internationally-recognized standard of good practice for information security. • NIST:Provides means of addressing cybersecurity risk in critical infrastructure. • CIS: Introduced to identify, develop, validate, promote, and sustain best practice solutions for cyber defense and enable an environment of trust in cyberspace.
Standard of Good Practice for Information Security (SGP). • It provide practical and comprehensive guide to identifying and managing information security risks in organizations. The SGP is of particular interest to the following individuals:  Chief information security officers (or equivalent): Responsible for developing policy and implementing sound information security governance and information security assurance.  Business managers: Responsible for ensuring that critical business applications, processes, and local environments on which an organization’s success depends are effectively managed and controlled.  IT managers and technical staff: Responsible for designing, planning, developing, deploying, and maintaining key business applications, information systems, or facilities
• National Institute of Standards and Technology NIST (NIST) Cybersecurity Framework  A voluntary framework for reducing cyber risks to critical infrastructure.  A collection of best practices that improve efficiency and protect constituents  Consists of three components  Core: A set of cyber security activities, desired outcomes, and applicable references.  Implementation tier: Context on how an organization views cybersecurity risk and the processes in place to manage the risk.  Profile: Outcomes based on business needs, that an organization has selected, from the framework core categories and subcategories
Security Policy  A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.  Internal and external auditors: Responsible for conducting security audits.  IT service providers: Responsible for managing critical facilities (for example, computer installations, networks) on behalf of the organization.  Procurement and vendor management teams: Responsible for defining appropriate information security requirements in contracts
CYBERSECURITY FRAMEWORKS • A cybersecurity framework is, essentially, a system of standards, guidelines, and best practices to manage risks that arise in the digital world. • They typically match security objectives, like avoiding unauthorized system access with controls like requiring a username and password.
TYPES OF CYBERSECURITY FRAMEWORKS • There are many different frameworks. This includes  The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002  The US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)  The Center for Internet Security Critical Security Controls (CIS)  Payment Card Industry Data Security Standard (PCI DSS)
Organization for Standardization (ISO) 27001 • ISO 27001 was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS). • What are the 3 ISMS security objectives?  The basic goal of ISO 27001 is to protect three aspects of information:  Confidentiality: only the authorized persons have the right to access information.  Integrity: only the authorized persons can change the information.  Availability: the information must be accessible to authorized persons whenever it is needed.
ISO 27000 series of standards • The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organisations improve their information security. • Published by ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission), the series explains how to implement best-practice information security practices. • It does this by setting out ISMS (information security management system) requirements. • An ISMS is a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes and technology. • ISO 27000 is a series of international standards all related to information security
ISO 27001 • This is the central standard in the ISO 27000 series, containing the implementation requirements for an ISMS. • This is important to remember, as ISO IEC 27001: 2013 is the only standard in the series that organisations can be audited and certified against. • That’s because it contains an overview of everything you must do to achieve compliance, which is expanded upon in each of the following standards. • The ISO 27001 standard has an organizational focus and details requirements against which an organization’s ISMS (Information Security Management System), can be audited. • ISO 27001 holds the requirements of the Information Security Management System Standard
ISO 27002 • This is a supplementary standard that provides an overview of information security controls that organisations might choose to implement. • Organisations are only required to adopt controls that they deem relevant – something that will become apparent during a risk assessment. • The controls are outlined in Annex A of ISO 27001, but whereas this is essentially a quick rundown, ISO 27002 contains a more comprehensive overview, explaining how each control works, what its objective is and how you can implement it. • ISO 27002 gives guidelines and best practices intended for organizations who are becoming certified or implementing their own security processes and controls.
Control list: the 14 control sets of Annex A • Information security policies : This annex is designed to make sure that policies are written and reviewed in line with the overall direction of the organisations’ information security practices. • Organisation of information security :This annex covers the assignment of responsibilities for specific tasks. It’s divided into two sections, with Annex A.6.1 ensuring that the organisation has established a framework that can adequately implement and maintain information security practices within the organisation.  Meanwhile, Annex A.6.2 addresses mobile devices and remote working. It’s designed to make sure that anyone who works from home or on the go – either part-time or full- time – follows appropriate practices. • Human resource security: The objective of Annex A.7 is to make sure that employees and contractors understand their responsibilities.
• Asset management :This annex concerns the way organisations identify information assets and define appropriate protection responsibilities.  It contains three sections. Annex A.8.1 is primarily about organisations identifying information assets within the scope of the ISMS.  Annex A.8.2 is about information classification. This process ensures that information assets are subject to an appropriate level of defence.  Annex A.8.3 is about media handling, ensuring that sensitive data isn’t subject to unauthorised disclosure, modification, removal or destruction
• Access control: The aim of Annex A.9 is to ensure that employees can only view information that’s relevant to their job.  It’s divided into four sections, addressing the business requirements of access controls, user access management, user responsibilities and system and application access controls, respectively. • Cryptography: This annex is about data encryption and the management of sensitive information.  Its two controls are designed to ensure that organisations use cryptography properly and effectively to protect the confidentiality, integrity and availability of data.
• Physical and environmental security :This annex addresses organisations’ physical and environment security. It’s the largest annex in the Standard, containing 15 controls separated into two sections.  The objective of Annex A.11.1 is to prevent unauthorised physical access, damage or interference to organisations’ premises or the sensitive data held therein.  Meanwhile, Annex A.11.2 deals specifically with equipment. It’s designed to prevent the loss, damage or theft of an organisation’s information asset containers – whether that’s, for example, hardware, software or physical files.
ISO 27017 and ISO 27018 • These supplementary ISO standards were introduced in 2015, explaining how organisations should protect sensitive information in the Cloud. • This has become especially important recently as organisations migrate much of their sensitive information on to online servers. • ISO 27017 is a code of practice for information security, providing extra information about how to apply the Annex A controls to information stored in the Cloud. • Under ISO 27001, you have the choice to treat these as a separate set of controls. So, you’d pick a set of controls from Annex A for your ‘normal’ data and a set of controls from ISO 27017 for data in the Cloud. • ISO 27018 works in essentially the same way but with extra consideration for personal data.
ISO 27701 • This is the newest standard in the ISO 27000 series, covering what organisations must do when implementing a PIMS (privacy information management system). • It was created in response to the GDPR (General Data Protection Regulation), which instructs organisations to adopt “appropriate technical and organisational measures” to protect personal data but doesn’t state how they should do that. • ISO 27701 fills that gap, essentially bolting privacy processing controls onto ISO 27001.
NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity • The NIST Framework for Improving Critical Infrastructure Cybersecurity, sometimes just called the “NIST cybersecurity framework,” is, as its name suggests, is intended to be used protecting critical infrastructure like power plants and dams from cyber attack. • However, its principles can apply to any organization that seeks better security. It is one of several NIST standards that cover cybersecurity. • The framework’s core is a list of cybersecurity functions that follow the basic pattern of cyber defense: identify, protect, detect, respond, and recover. • The framework provides an organized mechanism for identifying risks and assets that require protection. • It lists the ways the organization must protect these assets by detecting risks, responding to threats, and then recovering assets in the event of a security incident.
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
The NIST Cybersecurity Framework consists of three components • Core: Provides a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. • Implementation tiers: Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk • Profiles: Represents the outcomes based on business needs that an organization has selected from the Framework Core categories and subcategories
The Center for Internet Security Critical Security Controls (CIS) for Effective Cyber Defense • CIS was built in the late 2000s by a volunteer-expert coalition to create a framework for protecting companies from the threats of cybersecurity. • It is comprised of 20 controls that are regularly updated by experts from all fields – government, academia, and industry – to be consistently modern and on top of cybersecurity threats. • CIS works well for organizations that want to start out with baby steps. • Their process is divided into three groups. They start with the basics, then move into foundational, and finally, organizational. • CIS is also a great option if you want an additional framework that can coexist with other, industry-specific compliance standards (such as HIPAA and NIST).
COBIT 5 for Information Security • Control Objectives for Business and Related Technology (COBIT) is a set of documents published by ISACA, which is an independent, nonprofit, global association engaged in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. • COBIT 5, the fifth version of the set of documents to be released, is intended to be a comprehensive framework for the governance and management of enterprise IT. • Of particular concern for this book is the section of COBIT 5 that deals with information security. • COBIT 5 for information security defines a number of policies that are used to develop a management and governance strategy.
Payment Card Industry Data Security Standard (PCI DSS) • The PCI-DSS, a standard of the PCI Security Standards Council, provides guidance for maintaining payment security. • The standard sets the technical and operational requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of applications and devices used in those transactions. • In essence, PCI DSS compliance governs the way payment card data is processed, handled, and stored. It is required for merchants and all businesses that touch payment data in any way—and that’s a lot of businesses.
• The PCI defines the scope of the PCI DSS as follows:  The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.  The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. • The PCI DSS is structured around 6 goals and 12 requirements, as shown in Table 1.12 (next slide). • Each requirement is further broken up into one or two levels of sub requirements, for which testing procedures and guidance are provided.
6 goals and 12 requirements PCI DSS
The following is an example of a PCI sub requirement: • Sub requirement 8.1.2: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. • Testing procedures: For a sample of privileged user IDs and general user IDs, examine associated authorizations and observe system settings to verify each user ID and privileged user ID has been implemented with only the privileges specified on the documented approval. • Guidance: To ensure that user accounts granted access to systems are all valid and recognized users, strong processes must manage all changes to user IDs and other authentication credentials, including adding new ones and modifying or deleting existing ones.
ALL THE BEST WITH YOUR STUDIES!!!

More Related Content

PDF
Standards & Framework.pdf
karthikvcyber
 
PPT
Standards & Framework.ppt
karthikvcyber
 
PDF
PECB Webinar ISO27001 and how 27032 can help vFinal.pdf
Peter GEELEN ✔
 
PDF
1 info sec+risk-mgmt
madunix
 
PPTX
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
PPTX
D1 security and risk management v1.62
AlliedConSapCourses
 
PPTX
INFS2701 T2 2025 Lecture 1 Data Warehousing.pptx
saniyagadekar12
 
PPTX
Week 1 - Introduction to CyberSecurity.pptx
juancx3
 
Standards & Framework.pdf
karthikvcyber
 
Standards & Framework.ppt
karthikvcyber
 
PECB Webinar ISO27001 and how 27032 can help vFinal.pdf
Peter GEELEN ✔
 
1 info sec+risk-mgmt
madunix
 
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
D1 security and risk management v1.62
AlliedConSapCourses
 
INFS2701 T2 2025 Lecture 1 Data Warehousing.pptx
saniyagadekar12
 
Week 1 - Introduction to CyberSecurity.pptx
juancx3
 

Similar to Chapter 1 Best Practices, Standards, and a Plan of Action.pptx (20)

PDF
Chapter 10 security standart
newbie2019
 
PDF
Cyber security for manufacturers umuc cadf-ron mcfarland
Highervista
 
PPTX
Cybersecurity-Course.9643104.powerpoint.pptx
AfsanaMumal2
 
DOCX
Policy InformationPolicy Name __________________________ ID _.docx
stilliegeorgiana
 
PDF
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Dancyrityshy 1foundatioieh
Anne Starr
 
PPTX
Cybersecurity Framework Luncheon Presentation 1-18-18.pptx
trinirebel1
 
PPT
Information security Lecture slides .ppt
MuhammadAbdullah311866
 
PPT
lecture on cyber security_1234567890.ppt
VijayDSK1
 
PPT
Lecture3.ppt
TSampathKumar4
 
PDF
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
PPTX
DOC-20250530-WA0008.pptx.................
salmannawaz6566504
 
PPTX
Cyber-Security-Unit-1.pptx
TikdiPatel
 
PPTX
the role of 27001 in cybersecurity pp.pptx
floresmika308
 
PPT
S nandakumar
IPPAI
 
PPT
S nandakumar_banglore
IPPAI
 
PDF
Introduction to Cybersecurity.pdf
ssuserf98dd4
 
PPTX
Security Ch-1.pptx
KeenboonAsaffaa
 
PPTX
cybersecurityandthe importance of the that
JayachanduHNJc
 
PPTX
Cyber crime and Information Security.pptx
SAINATHYADAV11
 
Chapter 10 security standart
newbie2019
 
Cyber security for manufacturers umuc cadf-ron mcfarland
Highervista
 
Cybersecurity-Course.9643104.powerpoint.pptx
AfsanaMumal2
 
Policy InformationPolicy Name __________________________ ID _.docx
stilliegeorgiana
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Dancyrityshy 1foundatioieh
Anne Starr
 
Cybersecurity Framework Luncheon Presentation 1-18-18.pptx
trinirebel1
 
Information security Lecture slides .ppt
MuhammadAbdullah311866
 
lecture on cyber security_1234567890.ppt
VijayDSK1
 
Lecture3.ppt
TSampathKumar4
 
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
DOC-20250530-WA0008.pptx.................
salmannawaz6566504
 
Cyber-Security-Unit-1.pptx
TikdiPatel
 
the role of 27001 in cybersecurity pp.pptx
floresmika308
 
S nandakumar
IPPAI
 
S nandakumar_banglore
IPPAI
 
Introduction to Cybersecurity.pdf
ssuserf98dd4
 
Security Ch-1.pptx
KeenboonAsaffaa
 
cybersecurityandthe importance of the that
JayachanduHNJc
 
Cyber crime and Information Security.pptx
SAINATHYADAV11
 
Ad

Recently uploaded (20)

PDF
Copy of HKISO FINAL ROUND Session 1 & 2 - S3 and SS.pdf
nothisispatrickduhh
 
PPT
Leadership essentials to build your carrier
ahmedhasan769002
 
PPTX
Top Bank Jobs in Jaipur Roles, Salaries & Smart Hiring Trends in 2025.pptx
ravisalarite
 
PPTX
FIND ODD SHAPE OUT for placement activity.pptx
YESIMSMART
 
PPTX
AMB Trainingt for School Teachers.pptx h
vidushirathiji
 
PPTX
2200jejejejejjdjeiehwiwheheu1002031.pptx
a0999574
 
PPTX
Public_Health_Informghiufdrgatics_PPT.pptx
venkiprince758
 
PPTX
PRESENTATION OF SEPSIS, SEPTIC SHOCK.pptx
ericklouiseopio
 
DOCX
Digital Marketing In Chandigarh Excellence Technology
chetann0777
 
PPTX
arif og 2.pptx defence mechanism of gingiva
arifkhansm29
 
PDF
past progressivvvvvvvvvvvvvvvvvvvvvvvvvvvvve.pdf
felipemirandac1
 
PPTX
Visit tofgwudbsbvaagsgve Sub-Center.pptx
venkiprince758
 
PDF
HR Jobs in Jaipur: 2025 Trends, Banking Careers & Smart Hiring Tools
ravisalarite
 
PPTX
UNIT-2_LESSON-4_Writing-a-Research-Statement-for-Quantitative-Research.pptx
JunwellLingaya
 
PDF
Villa Thesis-Final.pdf NNNNNNNNNNNNNNNNNNNNNNNNNNNNN
CharlynDumali
 
PDF
Professor Dr. Nazrul Islam - Curriculum Vitae.pdf
Dr. Nazrul Islam
 
PDF
Leading the Future of Logistics_ Asib Mahmud’s Vision for Smart Fleets.pdf
Asib Mahmud
 
PPT
T4C0400nbvnmbnb njb ncbs001A0011PPTE.ppt
shubhdps2004
 
PPTX
ALLIED HEALTH BScPhysicianAssistant.pptx
Lakshminarayanan Sadhasivan
 
PPTX
LIFE ORIENTATION SLIDES 2025 Grade 11.pptx
NduduzoXulu
 
Copy of HKISO FINAL ROUND Session 1 & 2 - S3 and SS.pdf
nothisispatrickduhh
 
Leadership essentials to build your carrier
ahmedhasan769002
 
Top Bank Jobs in Jaipur Roles, Salaries & Smart Hiring Trends in 2025.pptx
ravisalarite
 
FIND ODD SHAPE OUT for placement activity.pptx
YESIMSMART
 
AMB Trainingt for School Teachers.pptx h
vidushirathiji
 
2200jejejejejjdjeiehwiwheheu1002031.pptx
a0999574
 
Public_Health_Informghiufdrgatics_PPT.pptx
venkiprince758
 
PRESENTATION OF SEPSIS, SEPTIC SHOCK.pptx
ericklouiseopio
 
Digital Marketing In Chandigarh Excellence Technology
chetann0777
 
arif og 2.pptx defence mechanism of gingiva
arifkhansm29
 
past progressivvvvvvvvvvvvvvvvvvvvvvvvvvvvve.pdf
felipemirandac1
 
Visit tofgwudbsbvaagsgve Sub-Center.pptx
venkiprince758
 
HR Jobs in Jaipur: 2025 Trends, Banking Careers & Smart Hiring Tools
ravisalarite
 
UNIT-2_LESSON-4_Writing-a-Research-Statement-for-Quantitative-Research.pptx
JunwellLingaya
 
Villa Thesis-Final.pdf NNNNNNNNNNNNNNNNNNNNNNNNNNNNN
CharlynDumali
 
Professor Dr. Nazrul Islam - Curriculum Vitae.pdf
Dr. Nazrul Islam
 
Leading the Future of Logistics_ Asib Mahmud’s Vision for Smart Fleets.pdf
Asib Mahmud
 
T4C0400nbvnmbnb njb ncbs001A0011PPTE.ppt
shubhdps2004
 
ALLIED HEALTH BScPhysicianAssistant.pptx
Lakshminarayanan Sadhasivan
 
LIFE ORIENTATION SLIDES 2025 Grade 11.pptx
NduduzoXulu
 
Ad

Chapter 1 Best Practices, Standards, and a Plan of Action.pptx

  • 1. WELCOME TO RICHFIELD First Semester –Year 2021 Module Name: Cybersecurity 700 SLIDES
  • 3. Introduction • This chapter begins with a definition of cybersecurity and a discussion of the importance of standards and best practices documents in cybersecurity. • The sections that follow look at the most significant sources of these documents for effective cybersecurity management. • Finally, this chapter provides a discussion of the effective use of standards and best practices documents.
  • 4. Defining Cyberspace and Cybersecurity • Cyberspace: consists of artifacts based on or dependent on computer and communications technology; the information that these artifacts use, store, handle, or process; and the interconnections among these various elements.  An example of cyberspace is the home of Google, Yahoo and Facebook etc. • Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that are used to protect the cyberspace environment and organization and user’s assets.
  • 5. A more extensive list of cybersecurity objectives includes the following: The CIA or AIC Triad (Availability, Integrity and Confidentiality) • Availability: The property of a system or a system resource being accessible or usable or operational upon demand. It involves the following aspects:  Recovery  Backups  Redundancy  Protect against threats
  • 6. A more extensive list of cybersecurity objectives includes the following: The CIA or AIC Triad • Integrity : Messages or data cannot be modified without detection.  Making sure that attackers cannot compromise data integrity  User mistakes o File deletion o Data input errors  Least Privilege o Restrict system files o Database rights and permission
  • 7. A more extensive list of cybersecurity objectives includes the following: The CIA or AIC Triad • Confidentiality: The property that data is not disclosed to system entities unless they have been authorized to know the data. It involves the following:  Attacking confidentiality o Password files o Social Engineering  Data encryption o Storage o Transmission
  • 8. Two related terms should be mentioned: • Information security (Infosec): The main aim of InfoSec is to ensure confidentiality, integrity, and availability of company information. It allows organizations to protect digital and analog information. • Network security: Protection of networks and their services from unauthorized modification, destruction, or disclosure and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. • Cybersecurity encompasses information security, with respect to electronic information, and network security. Information security also is concerned with physical (for example, paper-based) information.
  • 9. The Value of Standards and Best Practices Documents • The development, implementation, and management of a cybersecurity system for an organization are extraordinarily complex and difficult. • A wide variety of technical approaches are involved, including cryptography, network security protocols, operating system mechanisms, database security schemes, and malware identification. • The areas of concern are broad, including stored data, data communications, human factors, physical asset and property security, and legal, regulatory, and contractual concerns. • And there is an ongoing need to maintain high confidence in the cybersecurity capability in the face of evolving IT systems, relationships with outside parties, personnel turnover, changes to the physical plant, and the ever-evolving threat landscape.
  • 10. • ISF: Provide practical and comprehensive guide to identifying and managing information security risks in organizations. • ISO: Internationally-recognized standard of good practice for information security. • NIST:Provides means of addressing cybersecurity risk in critical infrastructure. • CIS: Introduced to identify, develop, validate, promote, and sustain best practice solutions for cyber defense and enable an environment of trust in cyberspace.
  • 11. Standard of Good Practice for Information Security (SGP). • It provide practical and comprehensive guide to identifying and managing information security risks in organizations. The SGP is of particular interest to the following individuals:  Chief information security officers (or equivalent): Responsible for developing policy and implementing sound information security governance and information security assurance.  Business managers: Responsible for ensuring that critical business applications, processes, and local environments on which an organization’s success depends are effectively managed and controlled.  IT managers and technical staff: Responsible for designing, planning, developing, deploying, and maintaining key business applications, information systems, or facilities
  • 12. • National Institute of Standards and Technology NIST (NIST) Cybersecurity Framework  A voluntary framework for reducing cyber risks to critical infrastructure.  A collection of best practices that improve efficiency and protect constituents  Consists of three components  Core: A set of cyber security activities, desired outcomes, and applicable references.  Implementation tier: Context on how an organization views cybersecurity risk and the processes in place to manage the risk.  Profile: Outcomes based on business needs, that an organization has selected, from the framework core categories and subcategories
  • 13. Security Policy  A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.  Internal and external auditors: Responsible for conducting security audits.  IT service providers: Responsible for managing critical facilities (for example, computer installations, networks) on behalf of the organization.  Procurement and vendor management teams: Responsible for defining appropriate information security requirements in contracts
  • 14. CYBERSECURITY FRAMEWORKS • A cybersecurity framework is, essentially, a system of standards, guidelines, and best practices to manage risks that arise in the digital world. • They typically match security objectives, like avoiding unauthorized system access with controls like requiring a username and password.
  • 15. TYPES OF CYBERSECURITY FRAMEWORKS • There are many different frameworks. This includes  The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002  The US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)  The Center for Internet Security Critical Security Controls (CIS)  Payment Card Industry Data Security Standard (PCI DSS)
  • 16. Organization for Standardization (ISO) 27001 • ISO 27001 was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS). • What are the 3 ISMS security objectives?  The basic goal of ISO 27001 is to protect three aspects of information:  Confidentiality: only the authorized persons have the right to access information.  Integrity: only the authorized persons can change the information.  Availability: the information must be accessible to authorized persons whenever it is needed.
  • 17. ISO 27000 series of standards • The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organisations improve their information security. • Published by ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission), the series explains how to implement best-practice information security practices. • It does this by setting out ISMS (information security management system) requirements. • An ISMS is a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes and technology. • ISO 27000 is a series of international standards all related to information security
  • 18. ISO 27001 • This is the central standard in the ISO 27000 series, containing the implementation requirements for an ISMS. • This is important to remember, as ISO IEC 27001: 2013 is the only standard in the series that organisations can be audited and certified against. • That’s because it contains an overview of everything you must do to achieve compliance, which is expanded upon in each of the following standards. • The ISO 27001 standard has an organizational focus and details requirements against which an organization’s ISMS (Information Security Management System), can be audited. • ISO 27001 holds the requirements of the Information Security Management System Standard
  • 19. ISO 27002 • This is a supplementary standard that provides an overview of information security controls that organisations might choose to implement. • Organisations are only required to adopt controls that they deem relevant – something that will become apparent during a risk assessment. • The controls are outlined in Annex A of ISO 27001, but whereas this is essentially a quick rundown, ISO 27002 contains a more comprehensive overview, explaining how each control works, what its objective is and how you can implement it. • ISO 27002 gives guidelines and best practices intended for organizations who are becoming certified or implementing their own security processes and controls.
  • 20. Control list: the 14 control sets of Annex A • Information security policies : This annex is designed to make sure that policies are written and reviewed in line with the overall direction of the organisations’ information security practices. • Organisation of information security :This annex covers the assignment of responsibilities for specific tasks. It’s divided into two sections, with Annex A.6.1 ensuring that the organisation has established a framework that can adequately implement and maintain information security practices within the organisation.  Meanwhile, Annex A.6.2 addresses mobile devices and remote working. It’s designed to make sure that anyone who works from home or on the go – either part-time or full- time – follows appropriate practices. • Human resource security: The objective of Annex A.7 is to make sure that employees and contractors understand their responsibilities.
  • 21. • Asset management :This annex concerns the way organisations identify information assets and define appropriate protection responsibilities.  It contains three sections. Annex A.8.1 is primarily about organisations identifying information assets within the scope of the ISMS.  Annex A.8.2 is about information classification. This process ensures that information assets are subject to an appropriate level of defence.  Annex A.8.3 is about media handling, ensuring that sensitive data isn’t subject to unauthorised disclosure, modification, removal or destruction
  • 22. • Access control: The aim of Annex A.9 is to ensure that employees can only view information that’s relevant to their job.  It’s divided into four sections, addressing the business requirements of access controls, user access management, user responsibilities and system and application access controls, respectively. • Cryptography: This annex is about data encryption and the management of sensitive information.  Its two controls are designed to ensure that organisations use cryptography properly and effectively to protect the confidentiality, integrity and availability of data.
  • 23. • Physical and environmental security :This annex addresses organisations’ physical and environment security. It’s the largest annex in the Standard, containing 15 controls separated into two sections.  The objective of Annex A.11.1 is to prevent unauthorised physical access, damage or interference to organisations’ premises or the sensitive data held therein.  Meanwhile, Annex A.11.2 deals specifically with equipment. It’s designed to prevent the loss, damage or theft of an organisation’s information asset containers – whether that’s, for example, hardware, software or physical files.
  • 24. ISO 27017 and ISO 27018 • These supplementary ISO standards were introduced in 2015, explaining how organisations should protect sensitive information in the Cloud. • This has become especially important recently as organisations migrate much of their sensitive information on to online servers. • ISO 27017 is a code of practice for information security, providing extra information about how to apply the Annex A controls to information stored in the Cloud. • Under ISO 27001, you have the choice to treat these as a separate set of controls. So, you’d pick a set of controls from Annex A for your ‘normal’ data and a set of controls from ISO 27017 for data in the Cloud. • ISO 27018 works in essentially the same way but with extra consideration for personal data.
  • 25. ISO 27701 • This is the newest standard in the ISO 27000 series, covering what organisations must do when implementing a PIMS (privacy information management system). • It was created in response to the GDPR (General Data Protection Regulation), which instructs organisations to adopt “appropriate technical and organisational measures” to protect personal data but doesn’t state how they should do that. • ISO 27701 fills that gap, essentially bolting privacy processing controls onto ISO 27001.
  • 26. NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity • The NIST Framework for Improving Critical Infrastructure Cybersecurity, sometimes just called the “NIST cybersecurity framework,” is, as its name suggests, is intended to be used protecting critical infrastructure like power plants and dams from cyber attack. • However, its principles can apply to any organization that seeks better security. It is one of several NIST standards that cover cybersecurity. • The framework’s core is a list of cybersecurity functions that follow the basic pattern of cyber defense: identify, protect, detect, respond, and recover. • The framework provides an organized mechanism for identifying risks and assets that require protection. • It lists the ways the organization must protect these assets by detecting risks, responding to threats, and then recovering assets in the event of a security incident.
  • 28. The NIST Cybersecurity Framework consists of three components • Core: Provides a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. • Implementation tiers: Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk • Profiles: Represents the outcomes based on business needs that an organization has selected from the Framework Core categories and subcategories
  • 29. The Center for Internet Security Critical Security Controls (CIS) for Effective Cyber Defense • CIS was built in the late 2000s by a volunteer-expert coalition to create a framework for protecting companies from the threats of cybersecurity. • It is comprised of 20 controls that are regularly updated by experts from all fields – government, academia, and industry – to be consistently modern and on top of cybersecurity threats. • CIS works well for organizations that want to start out with baby steps. • Their process is divided into three groups. They start with the basics, then move into foundational, and finally, organizational. • CIS is also a great option if you want an additional framework that can coexist with other, industry-specific compliance standards (such as HIPAA and NIST).
  • 30. COBIT 5 for Information Security • Control Objectives for Business and Related Technology (COBIT) is a set of documents published by ISACA, which is an independent, nonprofit, global association engaged in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. • COBIT 5, the fifth version of the set of documents to be released, is intended to be a comprehensive framework for the governance and management of enterprise IT. • Of particular concern for this book is the section of COBIT 5 that deals with information security. • COBIT 5 for information security defines a number of policies that are used to develop a management and governance strategy.
  • 31. Payment Card Industry Data Security Standard (PCI DSS) • The PCI-DSS, a standard of the PCI Security Standards Council, provides guidance for maintaining payment security. • The standard sets the technical and operational requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of applications and devices used in those transactions. • In essence, PCI DSS compliance governs the way payment card data is processed, handled, and stored. It is required for merchants and all businesses that touch payment data in any way—and that’s a lot of businesses.
  • 32. • The PCI defines the scope of the PCI DSS as follows:  The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.  The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. • The PCI DSS is structured around 6 goals and 12 requirements, as shown in Table 1.12 (next slide). • Each requirement is further broken up into one or two levels of sub requirements, for which testing procedures and guidance are provided.
  • 33. 6 goals and 12 requirements PCI DSS
  • 34. The following is an example of a PCI sub requirement: • Sub requirement 8.1.2: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. • Testing procedures: For a sample of privileged user IDs and general user IDs, examine associated authorizations and observe system settings to verify each user ID and privileged user ID has been implemented with only the privileges specified on the documented approval. • Guidance: To ensure that user accounts granted access to systems are all valid and recognized users, strong processes must manage all changes to user IDs and other authentication credentials, including adding new ones and modifying or deleting existing ones.
  • 35. ALL THE BEST WITH YOUR STUDIES!!!